CN109508555A - Isolation is provided in virtualization system using inter-trust domain - Google Patents

Abstract

Realization is described provides isolation using inter-trust domain in virtualization system.In one implementation, processing unit includes memory ownership table (MOT), for the accessed control of softward interview.Processing unit further includes processing core to execute inter-trust domain resource manager (TDRM) Lai Guanli inter-trust domain (TD), maintain inter-trust domain control structure (TDCS) with the global metadata for managing each TD, maintain the execution state of the TD at least one inter-trust domain thread control structure (TD-TCS), the TD-TCS is for the accessed control of softward interview, and with reference to MOT to obtain at least one key identifier (key ID) for corresponding to the encryption key for assigning to TD, key ID allows processing unit to decrypt the storage page for executing and assigning to TD in the context of TD in response to processing unit, the storage page for assigning to TD passes through encryption keys.

Description

Isolation is provided in virtualization system using inter-trust domain

This disclosure relates to computer system；More particularly, to using inter-trust domain to provide isolation in virtualization system.

Background technique

Modern processing unit encrypts to protect static data using disk.However, the data in memory are plaintexts, and And it is easy under attack.Various technologies can be used in attacker, sweep including scan bus, memory based on software and hardware It retouches, hardware detecting etc. retrieves data from memory.This data from memory may include sensitive data, for example, hidden Private sensitive data, IP sensitive data, and further include the key for file encryption or communication.Using by cloud service provider There is provided based on the trusteeship service of virtualization by the case where data and the current trend that is moved in cloud of enterprise work load into One step exacerbates the exposure of data.

Detailed description of the invention

Figure 1A be show according to one realize the example calculations system of isolation is provided in virtualization system using inter-trust domain The block diagram of system.

Figure 1B be show according to one realize another example meter of isolation is provided in virtualization system using inter-trust domain The block diagram of calculation system.

Fig. 2A is the exemplary block diagram for the inter-trust domain framework realized according to one.

Fig. 2 B is another exemplary block diagram for the inter-trust domain framework realized according to one.

Fig. 3 is the other exemplary block diagram for the inter-trust domain framework realized according to one.

Fig. 4 is the stream for the exemplary method for providing isolation in virtualization system using inter-trust domain realized according to one Cheng Tu.

Fig. 5 be according to one realize for when providing isolation in virtualization system using inter-trust domain executing inter-trust domain Exit the flow chart of the exemplary method of routine.

Fig. 6 be according to one realize for when providing isolation in virtualization system using inter-trust domain executing inter-trust domain Into the flow chart of the exemplary method of routine.

Fig. 7 A is the block diagram for showing the micro-architecture for processor, wherein a realization of the disclosure can be used.

Fig. 7 B is to show at least one realization according to the disclosure come the ordered assembly line realized and register renaming rank The block diagram of section, unordered publication/execution pipeline.

Fig. 8 shows the block diagram for the micro-architecture for processing unit realized according to one, and the processing unit includes using In the logic circuit of isolation is provided in virtualization system using inter-trust domain.

Fig. 9 is the block diagram for the computer system realized according to one.

Figure 10 is the block diagram according to the computer system of another realization.

Figure 11 is the block diagram for the system on chip realized according to one.

Figure 12 shows another realization of the block diagram of computing system.

Figure 13 shows another realization of the block diagram of computing system.

Specific embodiment

It describes and provides the framework of isolation in virtualization system using inter-trust domain (TD).Calculate aspect current trend be By the way that data and enterprise work load are placed in cloud using the trusteeship service provided by cloud service provider (CSP).Due to Hosted data and enterprise work load, the client (herein referred as tenant) of CSP are just better for its workload request in cloud Safety and isolation solution.Specifically, client, which is just searching, enables except the trusted computing base (TCB) of tenant's software The operation of the solution for the software that CSP is provided.The TCB of system refers to hardware, firmware and/or component software set, with shadow Ring the believable ability to system integrated operation.

In the realization of the disclosure, provides and extended (herein referred as the TD framework and instruction set architecture (ISA) of TD framework TD extension (TDX)) for client (tenant) software for executing in incredible CSP infrastructure provides confidentiality (and completely Property).TD framework (it can be system on chip (SoC) ability), in TD workload and CSP software (such as the virtual machine pipe of CSP Reason device (VMM)) between isolation is provided.The component of TD framework may include 1) encrypting (MK-TME) engine via MK- total memory Memory encryption, 2) resource management capacity, herein referred as inter-trust domain resource manager (TDRM)；TDRM can be virtual machine prison The software extensions and 3 of visual organ (VMM)) via the memory ownership table (MOT) of CPU management and via CPU access control The execution state and memory isolation ability in processor that TD control structure provides.TD framework provides processor deployment TD's Ability, the TD utilize the TD control structure of MK-TME engine, MOT and access control with the safety behaviour for TD workload Make.

In one implementation, the software of tenant uses the framework conceptual execution of referred to as TD.TD(is also referred to as tenant TD) refer to rent Family workload (for example, it can only include operating system (OS) together with the other ring-3 application run on OS, or The virtual machine (VM) run on VMM is together with other ring-3 applications).Each TD is operated independently of other TD in system, And use one or more logic processors, memory and the I/O assigned by TDRM on platform.At least using MK-TME engine Each TD is cryptographically isolated in one exclusive encryption key in memory, (to protect for encrypting with the associated memory of inter-trust domain Hold code and/or data).

In the realization of the disclosure, the TDRM in TD framework serves as the host of TD and has to core and other platform hardwares Fully control.TDRM is that the software in TD assigns one or more logic processors.However, TDRM cannot be the one of assignment The execution state of TD is accessed on a or multiple logic processors.Similarly, TDRM arrives physical storage and I/O resource assignation TD, but due to using by the other integralities and playback on the CPU of the every TD independent encryption key enforced and memory Control, it is ignorant to the memory state of access TD.The software executed in TD is operated by reduced permission, so that TDRM can To keep the control to platform resource.However, TDRM cannot influence TD shape in memory or CPU structure in the case where definition The confidentiality or integrality of state.

Conventional system for providing isolation in virtualization system not exclusively extracts CSP software from the TCB of tenant.This Outside, the independent chipset subsystem that the realization that the disclosure can be used in conventional system avoids increases TCB significantly.The disclosure The TD framework of realization by clearly reducing TCB, provided by removing CSP software from TCB client's (tenant) workload with Isolation between CSP software.Security isolation is provided by loading (tenant TD) for CSP Client Work, realization is provided to routine The technological improvement of system, and allow to remove CSP software from the TCB of client, while meeting safety and the Functional Requirement of CSP. In addition, TD framework may be scaled to multiple TD, multiple tenant's workloads can be supported.In addition, TD framework described herein is logical , and can be applied to any dynamic random access memory (DRAM) or the storage based on storage class memory (SCM) Device (such as non-volatile dual-in-line memory module (NV-DIMM)).In this way, the realization of the disclosure allows software utility Benefit (such as directly accesses storage (DAS) mode for the NVDIMM of SCM), without damaging platform security requirement.

Figure 1A is showing according to the computing system 100 for providing isolation in virtualization system using TD of the realization of the disclosure Meaning property block diagram.Virtualization system 100 includes the virtualized server 110 for supporting multiple client device 101A-101C.Virtualization Server 110 includes that at least one processor 112(of execution TDRM 180 is also referred to as processing unit).TDRM 180 may include One or more TD 190A-190C(, which can be instantiated, may have access to by client terminal device 101A-101C via network interface 170) VMM(be referred to as management program).Client terminal device 101A-101C can include but is not limited to desktop PC, put down Plate computer, laptop computer, net book, notebook computer, PDA(Personal Digital Assistant), server, work station, bee Cellular telephone, mobile computing device, smart phone, the Internet facilities or any other type computing device.

TD can refer to tenant (for example, client) workload.For example, tenant's workload can only include OS together in OS On other ring-3 application for running, or may include that the VM run on VMM is applied together with other ring-3.At this In disclosed realization, individual exclusive key can be used in each TD is cryptographically isolated in memory, for encryption and TD Associated memory (keeping code and data).

Processor 112 may include one or more core 120(also referred to as handle core 120), range registers 130, storage Device administrative unit (MMU) 140 and one or more output ports 150.Figure 1B is that execution is credible with MOT 160 and one or more The place of the TDRM 180 of 128 communication of domain control structure (TDCS) 124 and one or more inter-trust domain thread control structures (TDTCS) The schematic block diagram of the detailed view of device core 120 is managed, as shown in Figure 1A.TDTCS and TD-TCS can be interchangeable herein It uses.It includes but is not limited to desktop PC, tablet computer, laptop computer, online that processor 112, which can be used in, Sheet, notebook computer, PDA, server, work station, cellular phone, mobile computing device, smart phone, the Internet facilities or In the system of the computing device of any other type.In a further implementation, processor 112 can be used in SoC system.

Computing system 100 is indicated based on the available PENTIUM of Intel Company from California Santa Clara The processing system of III, PENTIUM 4, Xeon, Itanium, XScale and/or StrongARM micro treatmenting device System, although other systems also can be used (including the PC with other micro treatmenting devices, engineering work station, set-top box etc.). In one implementation, sample system 100 executes the available WINDOWS behaviour of Microsoft Corporation from State of Washington Redmond Make the version of system, although other operating systems (for example, UNIX and Linux), embedded software and/or figure also can be used User interface.Therefore, any specific combination for being practiced without limitation to hardware circuit and software of the disclosure.

One or more processing core 120 executes the instruction of system.Handling core 120 includes but is not limited to for acquisition instruction Pre-acquiring logic, the decode logic for solving code instruction, execution logic for executing instruction etc..In the implementation, system is calculated System 100 includes the component of such as processor 112, to use the execution unit including the logic for executing algorithm for handling Data.

Virtualized server 110 includes main memory 114 and auxiliary storage 118, to store program binary file and OS Driving event.Data in auxiliary storage 118 can store in the block of referred to as page, and each page can correspond to physics and deposit Memory address set.Virtualized server 110 can use virtual storage management, wherein being run by one or more cores 120 Application (such as TD 190A-190C) using being mapped to the virtual memory address of guest-physical memory address, and visitor Physical memory address is mapped to host/system physical address by MMU 140.

Core 120 can execute MMU 140, and page is loaded into main memory 114(from auxiliary storage 118, it includes volatibility Memory and/or nonvolatile memory) in, more with the software for being run by ((for example, in core)) on processor 112 It accesses fastly.When one in TD 190A-190C attempts to access that the physics for corresponding to the page being loaded into main memory 114 is deposited When the virtual memory address of memory address, MMU 140 returns to requested data.Core 120 can execute the VMM of TDRM 180 Guest physical address to be converted to the host-physical address of main memory by part, and providing allows core 120 to read, traverse (walk) and explain these mapping agreements parameter.

In one implementation, processor 112 realizes the TD framework and ISA extension (TDX) for being used for TD framework.TD framework provides TD workload 190A-190C and the CSP software executed on processor 112 are (for example, TDRM 180 and/or CSP VMM( Such as, root VMM 180)) between isolation.The component of TD framework may include 1) via the memory encryption of MK-TME engine 145, 2) it is herein referred as the resource management capacity of TDRM 180 and 3) via MOT 160 and via the TD control structure of access control The execution state and memory isolation ability in processor 112 that (that is, TDCS 124 and TDTCS 128) is provided.TDX framework mentions The ability of TD 190A-190C is disposed for processor 112, TD 190A-190C utilizes MK-TME engine 145, MOT 160 and access The TD control structure (that is, TDCS 124 and TDTCS 128) of control is with the safety operation for TD workload 190A-190C.

In the realization of the disclosure, TDRM 180 serves as host and the complete control with core 120 and other platform hardwares System.TDRM 180 is that the software in TD 190A-190C assigns one or more logic processors.However, TDRM 180 cannot The 190A-190C for accessing the TD on assigned one or more logic processors executes state.Similarly, TDRM 180 will Physical storage and I/O resource assignation are to TD 190A-190C, but due to other on individual encryption key and memory Integrality and playback control, it is ignorant to the memory state of access TD 190A.

Relative to individual encryption key, processor can use MK-TME engine 145 to encrypt (and decryption) and execute The memory that period uses.(TME) is encrypted by total memory, by any memory access of the software executed on core 120 Asking can be encrypted in memory by encryption key.MK-TME is the enhancing to TME, is allowed using multiple encryption keys (number of keys of support is that realization is relevant).Processor 112, which can use MK-TME engine 145, to be come using different MK-TME Key encrypts different pages.MK-TME engine 145 can utilize in TD framework described herein, to support every TD 190A- One or more encryption keys of 190C, to help to realize the crypt-isolation between different CSP Client Work loads.For example, working as When using MK-TME engine 145 in TD framework, it is all to encrypt TD(that CPU default enforces TD specific key to be used Page).In addition, TD can further be selected as specific TD pages of plaintext or selection uses the difference opaque to CSP software short Specific TD pages of temporary key encryption.

Each TD 190A-190C is supported by VMM(for example, using virtual machine extension (VMX)), OS and/or application software The software environment for the software stack that (by OS trustship) forms.Each TD 190A-190C is operated independently of other TD 190A-190C, And use one or more logic processors, memory and the I/O assigned by the TDRM 180 on platform.In TD 190A-190C The software of middle execution is operated by the privilege of reduction, and TDRM 180 is allowed to keep the control to platform resource；However, In the case of definition, TDRM cannot influence the confidentiality or integrality of TD 190A-190C.TD is more fully described with regard to Figure 1B below The other details of framework and TDX.

The disclosure is practiced without limitation to computer system.The alternative realizations of the disclosure can be used in other devices, such as Hand-held device and Embedded Application.Some examples of hand-held device include cellular phone, the Internet protocol device, digital camera, PDA(Personal Digital Assistant) and Hand held PC.Embedded Application may include microcontroller, digital signal processing device (DSP), piece Upper system, network computer (NetPC), set-top box, network backbone, wide area network (WAN) interchanger or can be according at least one Realize any other system for executing one or more instructions.

It can be realized in described in the text up and down one of single processing unit desktop computer or server system, but it is standby It may include in multiprocessing apparatus system that choosing, which is realized,.Computing system 100 can be the example of " maincenter " system architecture.Calculate system System 100 includes processor 112 to handle data-signal.As an illustrated example, processor 112 includes complex instruction set meter Calculation machine (CISC) micro treatmenting device, reduced instruction set computing (RISC) micro treatmenting device, very long instruction word (VLIW) micro process dress Set, realize the processing unit or any other processing unit of instruction set combination (for example, such as digital signal processing device).Processing Device 112 is coupled to processing unit bus, other components of the processing unit bus in processor 112 and computing system 100 Transmission data-signal, store instruction, data or its any group between (such as main memory 114 and/or auxiliary storage device 118) It closes.Other components of computing system 100 may include graphics accelerator, memory controller hub, I/O controller center, wireless Transceiver, flash BIOS, network controller, Audio Controller, serial expansion port, I/O controller etc..The execution pair of these elements The well-known conventional func of those skilled in the art.

In one implementation, processor 112 includes 1 grade of (L1) internal cache memory.Depending on framework, processor 112 can have single internally cached or multiple-stage internal cache.Other realize includes inside and outside cache The combination (depending on concrete implementation and needs) of the two.Register file will be in various registers (including integer registers, floating-point Register, vector registor, accumulation (banked) register, shadow register, checkpoint register, status register, configuration Register and instruction pointer register) in the different types of data of storage.

It should be noted that execution unit may or may not have floating point unit.In one implementation, processor 112 includes For storing microcode (ucode) ROM of microcode, to execute when being executed multiple for the algorithm of certain macro-instructions or disposition Miscellaneous situation.Here, microcode is potentially renewable, to dispose logic error/reparation of processor 112.

The alternative realizations of execution unit may be also used in microcontroller, embedded processing device, graphics device, DSP and its In the logic circuit of its type.System 100 includes that main memory 114(is referred to as memory 114).Main memory 114 wraps Include DRAM device, Static Random Access Memory (SRAM) device, flash memory device or other memory devices.Main memory 114 Store the instruction and/or data by be indicated by the data-signal that processor 112 executes.Processor 112 is total via processing unit Line is coupled to main memory 114.The system logic chip of such as memory controller hub (MCH) may be coupled to processing unit Bus and main memory 114.MCH can be provided to the high bandwidth memory path of main memory 114, to be used for instruction and data Storage and for graph command, data and texture storage.For example, MCH can be used in processor 112,114 and of main memory Data-signal, and the bridge between processing unit bus, memory 114 and system I/O are guided between other components in system 100 Connect data-signal.MCH can be coupled to memory 114 by memory interface.In some implementations, system logic chip can be with Graphics port is provided, to be coupled to graphics controller for interconnecting by accelerated graphics port (AGP).

Computing system 100 can also include I/O controller center (ICH).ICH can be provided via local I/O bus and be arrived Some I/O devices are directly connected to.Local I/O bus is for connecting a peripheral to memory 114, chipset and processor 112 High Speed I/O bus.Some examples are Audio Controller, firmware maincenter (flash BIOS), wireless transceiver, data storage Device leaves I/O controller, serial expansion port (such as universal serial bus comprising user's input and keyboard interface And network controller (USB)).Data storage device may include hard disk drive, floppy disk drive, CD-ROM device, dodge Cryopreservation device or other mass storage devices.

Another realization for system, the instruction executed by process as described above device core 120 can be with systems on chip It is used together.A kind of realization of system on chip includes processing unit and memory.The memory of one such system is flash memory.It dodges Depositing can be located on tube core identical with processing unit and other system components.In addition, such as Memory Controller or figure control Other logical blocks of device processed can also be located in system on chip.

With reference to Figure 1B, this figure depicts the block diagram of the processor 112 of the Figure 1A realized according to one of the disclosure.At one In realization, processor 112 can be executed via single core 120 or across several cores 120 using stack 101.As discussed above, locate Reason device 112 can provide TD framework and TDX come for (in insincere cloud service provider (CSP) infrastructure) client/ The client software run in tenant (i.e. TD 190A) provides confidentiality (and integrality).TD framework provides: via MOT's 160 Memory isolation；CPU state isolation (it combines the CPU key management via TDCS 124 and/or TDTCS 128)；And it uses In the CPU Measurement infrastructure of TD 190A software.

In one implementation, TD framework provides ISA extension (referred to as TDX), supports the application (virtualization of OS and OS management With it is non-virtualized) secret operation.Platform (platform such as including processor 112) with enabled TDX, which can rise, to be claimed For the effect of multiple crypto contexts of TD.To depict single TD 190A in Figure 1B convenient for explaining.Each TD 190A can be with Run VMM, VM, OS and/or application.For example, TD 190A is depicted as trustship VM 195A.

In one implementation, TDRM 180 may include as the functional part (for example, root VMM) of VMM.VMM can be with Refer to software, firmware or hardware to create, run and manage virtual machine (VM), such as VM 195A.It should be noted that VMM can be created Build, run and manage one or more VM.As depicted, VMM 110 is included as the one or more of processing unit 122 Handle the component of core 120.VMM 110 can create and run VM 195A and by one or more virtual processors (for example, VCPU) it is assigned to VM 195A.VM 195A is properly termed as visitor 195A herein.VMM can permit VM 195A access bottom and calculate The hardware of system (such as computing system 100 of Figure 1A).VM 195A can execute guest operating system (OS).VMM can be managed The execution of visitor OS.Visitor OS can work to control the virtual processor of VM 195A to the bottom hardware of computing system 100 With the access of software resource.It should be noted that VMM can be managed when there is many VM 195A operated in processing unit 112 Manage each of the visitor OS executed on many visitors.In some implementations, VMM can be realized by TD 190A to manage VM 195A.This VMM can be referred to as tenant VMM and/or non-root VMM, and be discussed in further detail below.

TD management level of the TDX also for the referred to as TD framework of TDRM 180 provide programming interface.TDRM can be implemented as CSP/ The part of root VMM.The operation of the management of TDRM 180 TD 190A.Although TDRM 180 can be assigned to TD 190A and be managed such as The resource of CPU, memory and input/output (I/O), TDRM 180 are designed to operate except the TCB of TD 190A.System TCB refer to hardware, firmware and/or component software set, the believable ability with influence system integrated operation.

In one implementation, therefore TD framework is the ability for protecting the software run in TD 190A.As discussed above , the component of TD framework may include 1) via the TME engine that there is the multi-key cipher to TME to extend (for example, the MK-TME of Figure 1A Engine 145) memory encryption, 2) software resource management level (TDRM 180) and 3) execution state in TD framework and deposit Reservoir isolating power.

Fig. 2A is the block diagram for describing the exemplary computing system for realizing TD framework 200.TD framework 200 is supported two kinds of TD.The TD of the first kind is TD, wherein tenant trust CSP with enforce confidentiality and do not realize the disclosure realization TD Framework.Such TD that leaves is depicted as TD1 210.TD1 210 is the CSP for the TCB 202 that there is CSP VMM to manage TD.TD1 210 may include the CSP VMM 212 and/or one or more tenant VM 216A, 216B for managing CSP VM 214. In this case, tenant VM 216A, 216B are managed by the CSP VMM 212 in 216A, 216B TCB 202 of VM.At this In disclosed realization, tenant VM 216A, 216B still can use through in thus model TME or MK-TME(further below Description) memory encryption.

Other types of TD is TD, and wherein tenant distrusts CSP to enforce confidentiality, and therefore dependent on having The CPU of the TD framework of the realization of the disclosure.Such TD is shown as TD2 220 and TD3 230 in two kinds of variants.It shows TD2 220 has virtualization mode (such as VMX), by running in the TD2 220 of tenant VM 225A, 225B to management Tenant VMM(non-root) 222 utilize.TD3 230 does not include the software using virtualization mode, but opposite directly in TD3 The OS 235 of enlightened (enlighten) is run in 230.There is hardware to enforce TCB 204 by TD2 220 and TD3 230 Tenant TD, as described in the realization in the disclosure.In one implementation, TD2 220 or TD3 230 can with relative to figure The TD 190A of 1A and/or 1B description is identical.

TDRM 180 manages the life cycle of the TD 210,220,230 of all three types, the distribution including resource.So And TDRM 180 is not in the TCB of TD type TD2 220 and TD3 230.TD framework 200 is not to the number of TD movable in system Amount or mixing apply any framework and limit.However, software and certain hardware limitations in specific implementation may due to other constraints It is limited in the quantity of the TD concurrently run in system.

Fig. 2 B is the exemplary block diagram for describing the interaction between TD framework 250 and TD 220 and TDRM 280.At one In realization, TD 220 and TDRM 280 are identical as the counterpart described with regard to Fig. 2A.TD framework 250 can be with the meter by Figure 1A and 1B The TD framework 200 for calculating TD framework and/or Fig. 2A that device 100 provides is identical.It is movable in system that TD framework 250 provides management The layer of the life cycle of TD.The processor operation format operated by referred to as TDX is supported to provide the processor of TD.There are two kinds The TDX of type is operated: resource manager operation and tenant's operation.In general, TDRM 180 is transported in the operation of TDX resource manager Capable and TD(such as TD2 220) it is run in TDX tenant's operation.Transfer between resource manager operation and tenant's operation Referred to as TDX transfer.

There are two kinds of TDX to shift: TD enters 270 and TD and exits 260.It is operated from the operation of TDX resource manager to TDX tenant Transfer be known as TD into 270.It is known as TD to the transfer that TDX resource manager operates from TDX tenant's operation and exits 260.

Processor behavior in the operation of TDX resource manager is similar with the processor behavior except TDX operation.The main distinction It is that TDX operation (TDX instruction) set is available, and the value that can be loaded into certain control registers is constrained to limit Determine the mode and ability of TDRM 180.

Processor behavior in TDX tenant's operation is similarly defined to promote to be isolated.For example, instead of normal operations, certain A little events make TD exit 260 to TDRM 180.These TD, which exit 260, does not allow TDRM 180 to modify 220 behavior of TD or state. TDRM 180 keeps the control to platform resource using platform capabilities.Software can be used in the software run in TD 220 can Information is seen to determine that it is just running in TD 220, and local can be enforced to the Add-ons being loaded into TD 220 Measurement strategies.However, executing the security status of verifying TD 220 by remote proving side to ensure confidentiality.

TD framework 250 is designed to minimize the compatible shadow to the software for relying on virtualization when running in TD 220 Ring, and therefore, make VM 225A, the 225B that are run in tenant operates and the tenant VMM 222 that is run in tenant's operation it Between most of interactions it is constant.If there is no there is VMM 222 in TD 220, can modify VM OS with TDRM 180 1 Work is played as root VMM.

In one implementation, TDRM 180 can clearly determine that so that TD is exited 260 such as termination TD 120 or management deposits Memory resource (for example, generating the memory resource of assignment, request free storage resources etc.).TD framework 250 is also TDRM 180, which provide pressure TD, exits 260 with the ability for pre-empted (preemption).It is exited on 260 in TD, TD framework is forced real It applies and the execution state of TD 220 is stored in the memory for the CPU access control for being assigned to TD 220, and the execution shape State using TD 220 sightless to TDRM 180 or other TD unique-encryption key (further described below) Lai Jiami with Protect the confidentiality of TD state from TDRM 180 or other TD.It can similarly be protected via the integrity control to memory It protects TD and executes state from cheating, remapping and/or reset.

It is the supplement event that 260 are exited to TD that TD, which enters 270,.For example, when TDRM 180 dispatches TD 220 at logic It runs and will execute when being transferred to the software run in TD 220 on reason device, TD can occur into 270.Enter 270 in TD Period, TD framework 250, which enforces, is stored in the execution state of TDRM 180 in the memory possessed by TDRM, the execution State is encrypted using the unique-encryption key for being assigned to be used alone by TDRM 180.

TDCREATE(can be used to create TDCS in the TD of such as TD 220), TDTCREATE(to be to create TD-TCS) and TDADDPAGE instruction is arranged by TDRM 180, the memory for making to belong to TD 220 be encrypted (use to TDRM 180 or its The unique-encryption key of its TD invisible or inaccessible TD).Before execution belongs to any instruction of TD, only using TD All TD memories of one key pair are encrypted.Although, can be in the realization of the disclosure herein with reference to specific instruction name Middle other titles using instruction, and it is not limited to specific names provided herein.

In one implementation, TDRM 180 can pass through small software image (similar to IBB or initial after signature verification Bootstrap block) each TD 220 of starting, and IBB measurement is recorded using platform credible root (for then proving).Exactly in TD The measurement that the IBB software executed in 220 is responsible for completing TD 220 starts and requests additional resource from TDRM 180.TD 220 has To entire TD 220 using single encryption key or when being run in TD 220, to different tenant VM 225A, 225B(and/or The different memory resource of container or such as NVRAM) use the selection of additional encryption key.Therefore, as setting TD 220 first When, MK-TME key that TD 220 is generated using exclusive CPU-.Hereafter, TD 220, which can be optionally, operates in TD 220 Context (for example, tenant VM 225A and 225B, the container or other type of memory) setting of each tenant's software management is additional MK-TME encryption key.

In order to minimize two VMM(for CSP for example, TDRM root VMM 180 and tenant VMM 222) software compatibility Property influence, virtualization (for example, VMX) operation can keep not modifying in the TD 220 in TD framework 250.Similarly, VMM is soft The operation of part, such as extension page table (EPT) management, may remain under the control of tenant VMM 222 (if one in TD It is movable in 220 and is not managed by TDRM 180).When TDRM 180 is that each TD 220 assigns physical storage, TD Framework 250 includes MOT(that is, the MOT 160 described with regard to Figure 1A and 1B).Processor 112 seeks advice from the MOT that TDRM 180 is managed to incite somebody to action The distribution of memory assigns to TD 220.The entire ability of this memory for allowing TDRM 180 to manage as resource, without having There is any visibility to the data in the TD memory for residing in assignment.In some implementations, as discussed above, platform (for example, root) VMM and TDRM 180 can be in identical encryption key domain, therefore shared memory management and scheduler function (but still being maintained at except the TCB of tenant).

Fig. 3 is another exemplary block diagram for describing TD framework 300.TD framework 300 depicts the I/O concept of TD.At one In realization, TD framework 300 can permit all I/O devices (for example, NIC 320, storage device 330, single input/output void Quasi-ization (SR-IOV) NIC 240 etc.) it is attached to TD1 210, CSP and TDRM(is trusted for example, leaving TD 1 210).At one In realization, TD framework 300, which can not allow directly to assign to device (including SR-IOV and scalable I/O), distrusts CSP soft The TD(of such as tenant TD2 220 of part is for example, tenant TD2 220).On the contrary, TDRM 180 can be provided in CSP TD(for example TD1 210) and other TD(such as tenant TD 2 220) between shared memory 310 ability, in non-CSP TD(for example, Tenant TD2 220) in realize synthesis (" syn ") device (for example, syn NIC 325, syn storage device 335).In some realizations In, distrust the tenant TD(such as tenant TD2 220 of CSP software) it can be responsible for protecting I/O data.TD framework 300 can not The I/O data that protection is exposed via shared memory 310.It in some implementations, can be by using showing between communication end point There is security protocol to protect I/O data.

Referring back to Figure 1B, MOT 160(its be properly termed as TD-MOT) be the structure managed by processor 112, such as table, TD, such as TD 190A are executed to enforce to assign to pages of physical memory.Processor 112 is also forced using MOT 160 Implementation physical address as referenced by the software operated as tenant TD 190A or TDRM 180, which cannot access, not yet explicitly to be assigned to Its memory.

MOT 160 is enforced with properties.Firstly, the software except TD 190A should not can be visited with plaintext version Ask that (read/write/execution) belonging to different TD(, this includes TDRM 180) any memory.Secondly, assigning to spy via MOT 160 Determine TD(such as TD 190A) storage page, should from any processor in system may have access to (wherein processor is just executed and is deposited The TD that reservoir is assigned to).

160 structure of MOT is used to keep the metadata attributes of each 4KB storage page.Can for additional page size (2MB, 1GB) define additional structure.The metadata of each 4KB storage page is by physical page address direct index.In other implementations, Its page size can be supported by layered structure (as page table).

4KB pages referred in MOT 160 may belong to a running example of TD 190A.It is referred in MOT 160 4KB pages can be efficient memory or labeled as invalid (therefore for example can be IO).In one implementation, each TD example 190A includes a page for keeping the TDCS 124 for the TD 190A.

In one implementation, MOT 160 is aligned and is occupied on the memory heap boundaries of 4KB and protected after platform initialization Shield is from the physically contiguous memory area by softward interview.In the implementation, MOT is micro-architecture structure, and cannot be by Software directly accesses.Architecturally, MOT 160 is that each 4KB host-physical memory page keeps following security attributes:

162-invalidating of page status position (whether page is efficient memory)

Page classification-DRAM, NVRAM, IO, reservation

Page status 163-(4 bit vector) specific page whether be:

The position 1- free time (page for not assigning to TD and not used by TDRM)

Position 2- assigns (page for assigning to TD or TDRM)

Position 3- blocks (page being blocked when it is in release/(again) assignment process)

Position 4- (dynamic page for assigning to TD but not yet being received by TD) co-pending

Page is assigned to specific unique TD by-TDID 164-(40) TD identifier.The address of TDCS.

In some implementations, 160 entry of MOT of extension can be supported, further include:

Page key ID 165-(8-size is to realize specifically) is specified expected and in the physical storage referred to by TD The matched every page of encryption key of key ID that processor page obtains during traversing.If 160 entry of MOT is not extended entry, Page key ID is exported from TDCS 124.One in key Id value specified in MOT can be used for shared with TDRM(or root VMM) Memory content.Shared page can keep inputoutput buffer to be sent to the hardware device managed by TDRM.Similarly, altogether Enjoying page can be used for emulating the virtual bench that TD is exposed to by TDRM.

Guest physical address 166-(52) specify the expection guest physical address used by the software executed in TD. (when the expected execution memory of TDRM 180 remaps and realizes the ability of swapping memory, using this field).

Visitor permits 167- to assert (execution, reading and writing for user and management program) on final page.May exist Multiple set of these permission bits are to support the VMM executed in TD.

It, can when enabling TDX in processor 112 (for example, via CR4 enable bit after enumerating based on CPUID) To enable MOT 160.Once enabled MOT 160, can by processor 112 using MOT 160 come to by software (including TDRM 180) all physical memory access initiated enforce memory access control.In one implementation, it is carried out by software Memory access page traversal during enforce access control.By processor 112 to do not assign to tenant TD 190A or The physical memory access that the memory of TDRM 180 executes is failed with stopping page semanteme.

In the realization of the disclosure, TDRM 180 using have with the MOT operational order (TDMOTOP) for the leaf that gives an order via MOT 160 manages memory resource:

Page is added to MOT(TDMOTADDPAGE)-will be corresponding to 160 targets of idle MOT of host-physical address (HPA) It is denoted as the TD 190A for (exclusively) assigning to and being specified by TDID.Any other previous page status causes failure.This instruction force across Thread TLB shoots down (shootdown) to confirm that no other TD 190A are just being cached to the mapping of this HPA.This instruction leaf can be by TDRM 180 is called.If TDRM 180 has enabled the MOT extended, described instruction, which can specify, is mapped to specified HPA's Initial guest physical address (GPA).Processor 112 is mapped by traversing the EPT structure managed by TDRM 180 to verify GPA To HPA.The variant that addition page may be implemented, assigns to TD(TDMOTAUGPAGE for page) but the measurement of page is not captured.

Cancelling page (TDMOTREVOKEPAGE)-for specified page marker from MOT is free page.Cross-thread is forced in this instruction TLB shoots down to confirm subsequent TD 190A access checking HPA ownership, and removes page content by processor 112.It is filled out in TLB The TD 190A access of experience 160 page fault of MOT causes processor 112 to keep TDCS 124 invalid during filling, and which prevent in addition TD enter TD 190A.This instruction leaf can be called by TDRM 180.

Blocking page (TDMOTBLOCKPAGE)-in MOT will correspond to 160 targets of MOT of the free time or assignment of HPA It is denoted as to be blocked and be used for software.Any other previous page status causes 180 failure of TDRM.Cross-thread TLB is forced in this instruction It shoots down to confirm subsequent TD 190A access checking HPA ownership.This instruction leaf can be called by TDRM 180.

Unlock page (TDMOTUNBLOCKPAGE)-in MOT marks 160 entry of MOT being blocked corresponding to HPA It is effective to software use/assignment.Any other previous page status causes failure.This instruction leaf can be called by TDRM 180.

After TD software has removed any secret in memory, the memory for assigning to TD 190A can be via aobvious Formula TDCALL returns to TDRM 180.The extended operation of MOT 160 is used for following situations, in which: (1) VMM in TD 190A can Can remap the GPA used in TD, and/or (2) TDRM 180 may wish to the storage that exchange assigns to TD 190A Device.In both above situation, 180 EPT of TDRM will be generated in violation of rules and regulations by the unmatched GPA used during page traverses. The MOT instruction leaf extended below solves situation above:

PGA(TDMOTMODPMA in modification MOT)-in order to dispose the first situation above, TDRM 180 utilizes this extension MOT 160 instructs to update 160 security attributes of MOT of the page as used in TD 190A.TDRM 180 provides GPA, by CPU The EPT structure of TD VMM management is traversed using the GPA and retrieves the new GPA referred to by TD VMM.Then, processor 112 The traversal of 180 EPT of TDRM is executed to find referenced HPA, and if page is assigned to movable TD 190A, is updated Expected GPA attribute is to match the unmatched GPA reported during out of order traversal.Then TDRM 180 can be opened again Beginning TD 190A.

For the second situation above, TDRM 180 cancels mapping GPA from its EPT structure, and in failure, answers When using MOT instruction in blocking page (TDMODBLOCKPAGE) come by the page marker be software it is unavailable (clear by dump Except), and the MOT 160 of extension should be used to instruct: TDEXTRACT and TDINJECT creates the commutative version of cryptoguard This page content can be restored for the HPA of new assignment.TDEXTRACT(and TDINJECT) instruction capture (and it is corresponding Ground verifying) exchange TD page of the integrity information cryptographically signed, so as to recovery when verify them.Encrypted message can To include counter to ensure that malice TDRM cannot reset outmoded page.

In one implementation, the initialization of TDRM 180 in processor 112 by enabling TDX(by being arranged for example CR4.TDXE or during VMXON via VMX MSR control bit) and start.TDX support can be enumerated via CPUID.Once Enabled TDX, TDRM 180 execute (that is, operation) enabled TDX mode instruction (TDXON) to enable the TDX mode of processor；Alternatively Mode can be enabled the part for VMXON by ground.TDXON registers 4 KB memory areas of nature alignment, and logic processor makes 180 state region of TDRM is used for it.In one implementation, 180 state region of TDRM is stored in as TDRM state 185 In TDRM control structure (TDRCS) 182；TD-RCS also can be implemented as only exiting information comprising Host Status, control and TD The VMCS of new type.In one implementation, TDCS and TD-TCS is via the accessed control of MOT 160 (for example, being stored in MOT Encryption key ID in 160 is for enforcing memory access control).In a further implementation, TDCS and TD-TCS via The accessed control of one or more storage devices limited in range registers (such as range registers 130) of processor 112, It is inaccessible to softward interview.TDRM state 185 is discussed in further detail below.4KB pages for TDRCS 182 Physical address provided in the operand to TDXON.TDRM 180 makes this page can not to all TD 190A via MOT 160 Access.TDRM 180 should be initialized and be accessed TDRCS 185.TDRM 180 should be each logic processor and uses individually TDRCS 185。

In one implementation, the example TDRM shape of upper load is initialized and exited by processor 112 in TD by TDRM 180 State 185 can include but is not limited to the following state described in following table 1:

Field	Description
		RIP	Linear address in TDRM address space starts in TD root mode on TD is exited wherein executing
RSP	TDRM stack pointer (linear address)
		ES selector	Segment information
CS selector	Segment information
		SS selector	Segment information
DS selector	Segment information
		FS selector	Segment information
GS selector	Segment information
		TR selector	Segment information
FS base	Duan Ji
		GS base	Duan Ji
TR base	Duan Ji
		GDTR base	Duan Ji
IDTR base	Duan Ji
		CR0	PG/NE/PE=1 is forced, CD/NW is ignored
CR3	Allow TDRM specified
		CR4	Force VMXE/PAE=1
IA32_PAT	Allow TDRM specified

Table 1: the processor state (64) loaded on TD is exited from TDRCS

The following processor state of automatic setting/fixation (therefore being specified not in TD-RCS) during TD is exited:

CR0, CR4(of -64 bit patterns may need additional CR4 mask value)

- DR7, erasing DRs: it removes: needing to consider PDR position influence

- IA32_DEBUGCTL, IA32_PERF_GLOBAL_CTRL, IA32_PAT, IA32_BNDCFGS

- IA32_EFER(ensures 64 bit patterns)

Segment register (base limitation access): it is exited with VM identical

- RFLAGS: with VM exit it is identical-be arranged to 0x2

- LDTR: identical-null value is exited with VM

Remove following processor state (therefore specifying not in TD-RCS) automatically during TD is exited:

- IA32_SYSENTER_CS / EIP / ESP

- IA32_KERNEL_GS_BASE

- IA32_STAR / FMASK / LSTAR

- GPR(is in addition to RSP)

- XSAVE state

Extended mode (x87/SSE, CET etc.)-can be considered optional and other conds

TD-RCS also keeps control field and exits message structure (for reporting that TD exits information), as provided in following table 2 :

Field	Description
		MSR access control bitmap address	Keep 4KB pages of 64 physical address of MSR access control bitmap
XSAVES access control bitmap	64 XSAVES access control bitmaps
		Extend page table pointers	64 EPTP
TD pre-empted timer	64 TD pre-empted timers
		TD-TCS slot Id	Specific TD-TCS is linked to by this TD-RCS for the TD duration entered

Table 2:TD-RCS structure

The table 3 being outlined below, which details in TD-RCS, exits information field:

Field	Description
		TDEXIT_REASON	64 place values (n effectively, and 64-n reserved).Referring to the table below with reference to value
TDEXIT_QUAL	Referring to following table

Table 3:TD-RCS exits information field

In one implementation, TD 190A can be created and be started by TDRM 180.TDRM 180 uses TD creation instruction (TDCREATE and TDTCREATE) creates TD 190A.TDRM 180 select physical storage 4KB aligned region, and by this It is provided as the parameter of TD creation instruction.This memory area is used as the TDCS 124 of TD 190A.When implemented, TDCREATE instruction with making 112 verifying purpose of processor 4KB page be assigned to TD(use MOT 160).TDCREATE instruction is also So that processor 112 is generated the of short duration memory encryption key and key ID of TD 190A, and key ID is stored in TDCS 124 In.Then, processor 112 uses the page content on the encryption key initialization destination page for assigning to TD.In one implementation, Initialization page content includes initiating the TD state of TD, this is further described relative to TDTCS 128 below.Then TDCREATE Instruction makes the initialization of processor 112 for the hash of the TD measurement in TDCS 124.

In one implementation, TDRM 180 is instructed (discussed above) for TD 190A setting IBB using TDADDPAGE Code/data, described instruction specify the address (as parameter) of TDCS page 124 of (TD 190A's), TD in TDRM address space The address of the code/data page of image, and assign to the Physical Page of TD 190A.Then, 112 verifying purpose of processor ground 4KB Page is assigned to TD 190A.Once being verified, processor 112 extends the hash for TD 190A in TDCS 124.Then, Page content is copied to destination page from source using the unique-encryption key for assigning to TD 190A by processor.

TDRM 180 provides TD boot configuration via the data page for mapping (and identity page table) comprising physical storage. TDRM 180 initializes physical storage, and processor 112 verifies page and is assigned to TD 190A and identifies page table.Then, TDRM 180 completes the measurement of TD 190A using TDINIT instruction.Then, TDRM 180 can be used TDENTER instruction and open Beginning executes TD 180(, and this uses TDTCS 128, as described further below).

Referring now to TDCS 124, the specified control that processor 112 initializes when successfully creating TD 190A of this control structure System.As enabled TD 190A, TDCS 124 can be used.In one implementation, TDCS occupies the memory area that 4K is aligned naturally. After successful execution TDCREATE instruction, the page that TDCS 124 is identified as in MOT 160 is blocked software read/write.One In a realization, TDCS 124 is via the accessed control of MOT 160 (for example, as described above, in the page time of processor 112 The software read/write of unauthorized is prevented during going through using the key ID of the assignment for the TDCS 124 being stored in MOT 160).? In another realization, TDCS 124 is accessed via one or more storage devices limited in range registers of processor 112 Control, it is inaccessible to softward interview.TDCS 124 can include but is not limited to the following field described in following table 4:

Field	Size (byte)	Description
			REVISION	4	Correct identifier 126
TDID	8 (40 effectively, remaining is reserved)	TD identifier 190A
			COUNT_TCS	4 (16 effectively, remaining is reserved)	With the quantity of the associated TD-TCS 142 of this TDCS
COUNT_BUSY_TCS	4 (16 effectively, remaining is reserved)	With the quantity of the associated busy TD-TCS of this TDCS
			KID_ENTRY_0*	8 (8 effectively, remaining is reserved)	The of short duration key Id* of the key of TD 190A is assigned to during TDCREATE
KID_ENTRY_1	8 (8 effectively, remaining is reserved)	The key Id 1 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG.
			KID_ENTRY_2	8 (8 effectively, remaining is reserved)	The key Id 2 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG.
KID_ENTRY_3	8 (8 effectively, remaining is reserved)	The key Id 3 of TD is assigned to during TDCREATE.TD can assign key via PCONFIG.
			ATTRIBUTES	16 (referring to following tables)	The attribute of inter-trust domain
MRTD	48	The SHA-384 measurement 138 of the initial content of TD
			RESERVED	16 (must be 0)	It is reserved to rise to the MREG of SHA512
MRSWID	48	The software definition identifier of additional logic for being loaded after initial construction
			MRCONFIGID	48	For adding the software definition identifier of TD SW configuration
MROWNER	48	The software definition identifier of the owner for VM
			MROWNERCONFIG	48	Software definition identifier for the additional image configuration from the owner
XCR0	8	The initial value of XCR0
			OWNERID	8	Owner ID
MRTDBLOCKS	4	Update the quantity of the block in MRTD.(only needing pre--TDINIT)
			COUNT_TCS_MAX		The maximum quantity of the specified logic processor that can assign to this TD of maximum value.(maximum possible 4095).
RESERVED		Reserved (other TD metadata) 143

Table 4:TDCS structure

TDCS.ATTRIBUTES field has the following bit architecture described in following table 5:

Table 5:TDCS.ATTRIBUTES field bit architecture

TD 190A can request TDRM 180 that N number of logic processor (CPU) is assigned to TD 190A.For each request CPU, TDRM 180 uses TDADDPAGE(parameter<op, TDCS, TD CPU index, HPA>) it is added to TD for TDTCS page 128 In 190A.112 verifying purpose of processor 4KB pages be assigned to TD 190A.Processor 112 updates in TDCS 124 TCSList [index] 142 is to be used for TD 190A.TDTCS 128 can be reversed with reference to his father TDCS 124(its It is specified in TDADDPAGE order parameter).

TDRM 180 uses TDTCS 128(parameter<TDCS of TDENTER, CPU index>) into TD 190A.This swashs Lived the TDCS 124 of TDTCS 128(and reference).TDENTER instruction checking TDTCS 128 is not yet movable.? On TDENTER, processor 112 activates TD 190A key ID to enforce by page miss disposer (PMH)/TLB.So Afterwards, processor 112 since TDTCS 128 load TD state and TD 190A execute.

TDTCS 128 keeps assigning to the execution state of the logic processor of TD 190A.If when processor 112 is in TD exit criteria occurs when TD tenant's mode, then TD, which is exited, is stored in the execution state of tenant in TDTCS 128.In a reality In existing, TDTCS 128 is via the accessed control of MOT 160 (for example, as described above, page of the key ID in processor 112 The software read/write to prevent unauthorized is used during traversal).In a further implementation, TDTCS 128 is via the one of processor 112 A or multiple accessed controls of the storage device limited in range registers, it is inaccessible to softward interview.

If TD occurs when processor 112 just operates in the context of the non-root VMM in TD 190A to exit, TD Exit and go to TD VMM(for example, TD VMM 222) VM exit (for example, the VM of Fig. 2 B exits 280) (not yet report), will Tenant's VMM state is stored in TDTCS 128, and is executed TD and exited (handover key id is enforced).It is called by TDRM 180 Subsequent TDENTER execute key ID enforce switching, out of TDTCS 128(TD 190A) restore tenant's state, so as to weigh It is new to start tenant VMM or OS.Correspondingly, if processor 112 is just being grasped in the context of non-root VMM during previous TD is exited Make, then TD enters exits (in TD entry) to tenant VMM report VM.

As discussed above, TDTCS 128 keeps the execution state of TD 190A.The execution state of TD 190A is stored in In TDTCS 128.TDTCS can be nand architecture, and following table 6 can be kept to the field being described in detail in 9:

Field	Description
		STATE	The execution state of TD virtual processor.Value 0 indicates that this TD-TCS is available to TDENTER.Value 1 indicates that TD-TCS is movable (this currently used TD-TCS executes TD) on logic processor.
TDCS	Link back to " father " TDCS (64b HPA)
		FLAGS	TD-TCS executes mark (referring to following table X)
TD_STATE_S	TD state corresponding to supervisor mode.Referring to following table.
		TD_STATE_U	TD state corresponding to User Status.Referring to following table.

Table 6:TDTCS field

Field	Position position	Description
			DEBUG	0	The selectivity of debugging TD-TCS enters mark
RESERVED	63:1	NA

Table 7:TDTCS executes mark

Field	Description
		CR0	By the original state-of TDCREATE setting with back loading application mask
CR2	It is loaded as saving, is initialized to 0
		CR3	It is loaded as saving, be initialized by TD OS
CR4	By TDCREATE setting original state-, then mask is applied in load
		DR0	It is loaded as saving, initialization is removed
DR1	It is loaded as saving, initialization is removed
		DR2	It is loaded as saving, initialization is removed
DR3	It is loaded as saving, initialization is removed
		DR6	It is loaded as saving, initialization is removed
DR7	It is loaded as saving, is initialized to disabling debugging
		IA32_SYSENTER_CS	It is loaded as saving, be initialized by TD OS
IA32_SYSENTER_ESP	It is loaded as saving, be initialized by TD OS
		IA32_SYSENTER_EIP	It is loaded as saving, be initialized by TD OS
SYSCALL MSRs	It is loaded as saving, be initialized by TD OS
		IA32_EFER	It is loaded as saving, be initialized by TD OS
IA32_PAT	It is loaded as saving, be initialized by TD OS
		IA32_BNDCFGS	It is loaded as saving, be initialized by TD OS
ES segment information	Selector, base, limitation, AR byte
		CS segment information	Selector, base, limitation, AR byte
SS segment information	Selector, base, limitation, AR byte
		DS segment information	Selector, base, limitation, AR byte
FS segment information	Selector, base, limitation, AR byte
		GS segment information	Selector, base, limitation, AR byte
LDTR segment information	Selector, base, limitation, AR byte
		TR segment information	Selector, base, limitation, AR byte
GDTR base	It is loaded as saving, be initialized by TD OS
		GDTR limitation	It is loaded as saving, be initialized by TD OS
IDTR base	It is loaded as saving, be initialized by TD OS
		IDTR limitation	It is loaded as saving, be initialized by TD OS
RIP	It is loaded as saving, be initialized by TDCREATE for IBB
		RSP	It is loaded as saving, be initialized by TDCREATE for IBB
RFLAGS	It is loaded as saving, be initialized by TDCREATE for IBB
		PDPTEs* (32 PAE)	It is loaded as saving, be initialized by TD OS
IA32_XSS	It is loaded as saving, be initialized by TD OS
		XCR0	It is loaded as saving, be initialized by TD OS
Kernel_GS_BASE	It is loaded as saving, be initialized by TD OS
		TSC_AUX	It is loaded as saving, be initialized by TD OS

Table 8:TDTCS management program executes state

Field	Description
		RAX	It is loaded as saving, be initialized by TD OS
RBX	It is loaded as saving, be initialized by TD OS
		RCX	It is loaded as saving, be initialized by TD OS
RDX	It is loaded as saving, be initialized by TD OS
		RBP	It is loaded as saving, be initialized by TD OS
RSI	It is loaded as saving, be initialized by TD OS
		RDI	It is loaded as saving, be initialized by TD OS
R8	It is loaded as saving, be initialized by TD OS
		R9	It is loaded as saving, be initialized by TD OS
R10	It is loaded as saving, be initialized by TD OS
		R11	It is loaded as saving, be initialized by TD OS
R12	It is loaded as saving, be initialized by TD OS
		R13	It is loaded as saving, be initialized by TD OS
R14	It is loaded as saving, be initialized by TD OS
		R15	It is loaded as saving, be initialized by TD OS
XSAVE state	It is loaded as saving, be initialized by TD OS

Table 9:TDTCS added field

In one implementation, TD 190A can be destroyed by TDRM 180.TDRM 180 using TD destroy instruction (TDDESTROY and TDTDESTROY) TD 190A is destroyed.All memories that CPU verifying assigns to TD have all been revoked, and all TD-TCS It is destroyed before it allows TDCS destroyed.

Fig. 4 is the stream for the exemplary method 400 for providing isolation in virtualization system using TD realized according to one Cheng Tu.Method 400 can be executed by processing logic, and processing logic may include hardware (for example, circuit, special logic, programmable Logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.In one implementation, method 400 by The processing unit 112 of Figure 1A or Figure 1B executes.In a further implementation, method 400 is by any processing unit for describing with regard to Fig. 7-12 It executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can execute method 400 Some or all operation.

With reference to Fig. 4, executed when processing logic executes TDRM with managing TD described in the TD(including VM by processing unit) Shi Fang Method 400 starts in frame 410.In frame 420, handle logic and maintain TDCS, with for manage the TD executed by processing logic or its The global metadata of one or more of its TD.Then, in frame 430, the execution shape that logic maintains TD in TD-TCS is handled State, the TD-TCS is for the softward interview quilt for coming TDRM, VMM or at least one of other TD that free processing unit executes Access control.

Then, in frame 440, handle reference logic MOT with obtain correspond to assign to the encryption key of TD at least one Key ID.In one implementation, key ID allows to execute in the context of TD in response to processing unit and assign to TD's The processing logical machine of storage page, which is payed a secret visit, asks, wherein the storage page for assigning to TD passes through encryption keys.Finally, in frame 450, reference logic MOT is handled to obtain the guest physical address for corresponding to the host-physical memory page for assigning to TD.One In a realization, the matching of the guest physical address obtained from MOT and the guest physical address accessed allows in response to processing Device executes in the context of TD and assigns to the processing unit access of the storage page of TD.

Fig. 5 be according to one realize for execution showing of exiting of TD when providing isolation in virtualization system using TD The flow chart of example method 500.Method 500 can be executed by processing logic, processing logic may include hardware (for example, circuit, specially With logic, programmable logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.It is realized at one In, method 500 is executed by the processing unit 112 of Figure 1A or Figure 1B.In a further implementation, method 500 is by describing with regard to Fig. 7-12 Any processing unit executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can To execute some or all operations of method 500.

With reference to Fig. 5, when processing logic identification TD exits event, method 500 starts in frame 510.In one implementation, TDRM is just managing the TD that event correlation is exited with TD, wherein handling logic just in the context of TD when identifying that TD exits event Middle execution.

In frame 520, event is exited in response to identification TD, processing logic utilizes the first encryption key for corresponding to and assigning to TD First key identifier (ID) Lai Baocun TD management program execute the user of state and TD and execute state and arrive TD- corresponding to TD In TCS.In one implementation, execution state is encrypted by the first encryption key, wherein TDCS, which is directed to, carrys out unrestrained section The accessed control of the softward interview of TDRM, VMM or at least one of other TD that device executes.

Then, it in frame 530, handles logic and is revised as corresponding to from first key ID by the key ID state of processing unit The second key ID of at least one of TDRM or VMM.Finally, processing logic load TDRM is executed and state of a control in frame 540 Information is exited so that processing unit operates in the context of TDRM with TDRM.

Fig. 6 be according to one realize for when providing isolation in virtualization system using TD execute TD entrance show The flow chart of example method 600.Method 600 can be executed by processing logic, processing logic may include hardware (for example, circuit, specially With logic, programmable logic, microcode etc.), software (operation such as executed by MCU), firmware or combinations thereof.It is realized at one In, method 600 is executed by the processing unit 112 of Figure 1A or Figure 1B.In a further implementation, method 600 is by describing with regard to Fig. 7-12 Any processing unit executes.Alternatively, other components (or the software executed in processing unit 112) of computing system 100 can To execute some or all operations of method 600.

With reference to Fig. 6, when handling logic and being executed in the context of TDRM processing unit identify TD entry event when Time method 600 starts in frame 610.In one implementation, processing logic executes the TDRM to manage TD.

In frame 620, in response to identifying that TD entry event, processing logic utilize close corresponding to the first encryption for assigning to TDRM TDRM state of a control of the first key ID of key from the TDRCS load TDRM corresponding to TDRM.In one implementation, pass through first Encryption key encrypts execution state.In addition, TDRCS can be for the TD or other TD for carrying out free processing unit execution At least one of the accessed control of softward interview.

Then, it in frame 630, handles logic and is revised as the key ID state of processing unit from first key ID to correspond to finger It is fitted on the second key ID of the second encryption key of TD.Finally, in frame 640, management journey of the processing logic from TD-TCS load TD Sequence executes state and TD user executes state, so that processing unit operates in the context of TD.In one implementation, TD-TCS For the accessed control of softward interview for coming TDRM or at least one of other TD that free processing unit executes.

Fig. 7 A is to show the performance according at least one monitoring processing unit realized of the disclosure to use inter-trust domain to exist Ordered assembly line and the register renaming stage, unordered publication/execution flowing water of the processor of isolation are provided in virtualization system The block diagram of line.Fig. 7 B is to show the unordered publication/execution to be included in the processor realized according at least one of the disclosure The block diagram of logic, register renaming logic and ordered architecture core.Solid box in Fig. 7 A shows ordered assembly line, and dotted line frame Register renaming, unordered publication/execution pipeline are shown.Similarly, the solid box in Fig. 7 B shows ordered architecture logic, and Dotted line frame shows register renaming and unordered publication/execution logic.

In fig. 7, processor pipeline 700 include the acquisition stage 702, the length decoder stage 704, decoding stage 706, Allocated phase 708, the renaming stage 710, scheduling phase 712 (is also referred to as assigned or is issued) in scheduling, register reading/memory is read Stage 714, execution stage 716 write back/memory write phase 718, abnormal disposition stage 722 and presentation stage 724.Some In realization, be provided in a different order the stage and can orderly and unordered consideration different phase.

In figure 7b, arrow indicates the coupling between two or more units, and the direction instruction of arrow is at that The direction of data flow between a little units.Fig. 7 B shows processor core (core) 790, including being coupled to enforcement engine unit 750 Front end unit 730, and the two is coupled to memory cell 770.

Core 790 can be reduced instruction set computing (RISC) core, complex instruction set calculation (CISC) core, very long instruction word (VLIM) core or mixing or alternative core type.As another option, core 790 can be specific core, such as, such as network or communication Core, compression engine, graphics core etc..

Front end unit 730 includes the inch prediction unit 732 for being coupled to Instruction Cache Unit 734, and instruction cache is slow Memory cell 734 is coupled to instruction morphing look-aside buffer (TLB) 736, TLB 736 and is coupled to instruction acquisition unit 738, coupling Close decoding unit 740.Decoding unit or decoder can be by instruction decodings, and generate the micro- behaviour of one or more as output Work, microcode entry point, microcommand, other instructions or other control signals, they are decoded from presumptive instruction or they are with it Its mode reflects presumptive instruction or derives from presumptive instruction.Various different mechanisms can be used to realize for decoder.Suitable mechanism Example include but is not limited to look-up table, hardware realization, programmable logic array (PLA), microcode read only memory (ROM) Deng.Instruction Cache Unit 734 is additionally coupled to 2 grades of (L2) cache elements 776 in memory cell 770.Decoding is single Member 740 is coupled to renaming/dispenser unit 752 in enforcement engine unit 750.

Enforcement engine unit 750 includes being coupled to the set of retirement unit 754 and one or more dispatcher units 756 Renaming/dispenser unit 752.One or more dispatcher units 756 indicate any amount of different schedulers, including reserved It stands, central command window etc..One or more dispatcher units 756 are coupled to one or more physical register file units 758. Each expression one or more physical register file of one or more physical register file units 758, different deposits therein Device heap stores one or more different types of data, and (such as scalar integer, scalar floating-point, packing integer, packing floating-point, vector are whole Number, vector floating-point, etc.), state (for example, instruction pointer of the address as the next instruction to be executed) etc..It is one or more Physical register file unit 758 is overlapped to show and can wherein realize register renaming and execute out by retirement unit 754 Various modes are (for example, use one or more resequence buffers and one or more resignation register files；Using one or Multiple heaps in future, one or more historic buffers and one or more resignation register files；Use register mappings and deposit Device pond etc.).

Generally, architectural registers from being outside processor or for the angle of programmer (programmer) 's.Register is not limited to the circuit of any known concrete type.Various types of register is suitable (as long as their energy It is enough to store and provide data as described in this article).Be suitble to register example include but is not limited to dedicated physical register, Physical register, combination that is dedicated and dynamically distributing physical register etc. are dynamically distributed using register renaming.Resignation is single Member 754 and one or more physical register file units 758 are coupled to one or more execution clusters 760.One or more is held Row cluster 760 includes the set of one or more execution units 762 and the set of one or more memory access units 764. Various operations (for example, displacement, addition, subtraction, multiplication) can be performed in execution unit 762, and to various types of data (examples Such as, scalar floating-point, packing integer, packing floating-point, vectorial integer, vector floating-point) it executes.

Although some realizations may include the multiple execution units for being exclusively used in the set of specific function or function, other realizations It may include an execution unit or all execute the functional multiple execution units of institute.One or more dispatcher units 756, one A or multiple physical register file units 758 and it is one or more execute clusters 760 and be shown as may be it is multiple, because of certain realities Now individual assembly line is created (for example, scalar integer assembly line, scalar floating-point/packing are whole for certain form of data/operation Number/packing floating-point/vectorial integer/vector floating-point assembly line and/or pipeline memory accesses, respectively have the tune of their own Spend device unit, one or more physical register file units and/or execution cluster-and in individual memory access flowing water In the case where line, the certain realities for executing cluster and there are one or more memory access units 764 of wherein this assembly line are realized It is existing.It will also be appreciated that using independent assembly line, one or more of these assembly lines can be unordered publication/ It executes, and remaining is ordered into.

The set of memory access unit 764 is coupled to memory cell 770 comprising it is single to be coupled to data high-speed caching The data TLB unit 772 of member 774, data cache unit 774 are coupled to 2 grades of (L2) cache elements 776.At one During demonstration is realized, memory access unit 764 may include load unit, storage address unit and data storage unit, in them Each of be coupled to data TLB unit 772 in memory cell 770.L2 cache element 776 is coupled to one or more Other grades of cache, and it is eventually coupled to main memory.

By example, demonstrate register renaming, unordered publication/execution core framework can realize the assembly line of Fig. 7 A as follows 700:1) instruction obtains 738 and executes acquisition stage 702 and length decoder stage 704 respectively；2) decoding unit 740 executes decoding rank Section 706；3) renaming/dispenser unit 752 executes allocated phase 708 and renaming stage 710；4) one or more scheduling Device unit 756 executes scheduling phase 712；5) one or more physical register file units 758 and memory cell 770 execute Register reading/memory read phase 714；It executes cluster 760 and executes the execution stage 716；6) memory cell 770 and one or more A execution of physical register file unit 758 writes back/memory write phase 718；7) various units can be related to the abnormal disposition stage 722；8) retirement unit 754 and one or more physical register file units 758 execute presentation stage 724.

Core 790 can support one or more instruction set (for example, (it has closely with the addition of more new version x86 instruction set Some extensions), the MIPS instruction set of the MIPS Technologies of California Sunnyvale, California The ARM instruction set (it is with additional extension such as NEON) of the ARM Holdings of Sunnyvale).

It should be understood that core can support multithreading (executing two or more parallel operations or sets of threads) and It can do so in many ways, including (wherein, single physical core, which provides, is used for object for time slicing multithreading, simultaneous multi-threading Reason core carries out the Logic Core of the per thread of multithreading at the same time) or combinations thereof (such as such as in Intel^®In Hyper-Threading Time slicing obtain and decoding and hereafter while multithreading).

Although register renaming describes in the context executed out-of-order, it will be appreciated that, it can be in an orderly architecture Use register renaming.Although the shown realization of processor also includes individual instruction and data cache element 734/ 774 and shared L2 cache element 776, but alternative realizations can have such as 1 grade (L1) internally cached to be used for Both instruction and datas it is single internally cached or multistage internally cached.In some implementations, system may include The combination of External Cache internally cached and outside core and/or processor.Alternatively, all caches can be in core The outside of processor and/or.

Fig. 8 show according to one realize include that the processing of the logic circuit of isolation is provided in virtualization system using inter-trust domain The block diagram of the micro-architecture of device 800.In some implementations, it can be achieved that instructing, to sizes such as byte, word, double word, four words And the data element of the data type of such as single and double precision integer and floating type is operated.It is realized at one In, orderly front end 801 is a part of processing unit 800, obtains the instruction to be executed, and prepare them to be later used in In processing unit assembly line.The realization for providing isolation in virtualization system using inter-trust domain can be real in processing unit 800 It is existing.

Front end 801 may include several units.In one implementation, the acquisition instruction from memory of pre-acquiring device 816 is instructed, And instruction is fed to instruction decoder 818, these instructions are decoded or explained again.For example, in one implementation, decoder will One or more for being known as " microcommand " or " microoperation " (also referred to as micro- op or uop) that received instruction decoding can be performed at machine A operation.In other implementations, instruction is parsed into operation code and corresponding data and control field by decoder, they are by micro- Framework is used to execute the operation realized according to one.In one implementation, tracking (trace) cache 830 takes out decoding Uop and be assembled into uop queue 834 program sequence sequence or tracking to be used to execute.Work as trace cache 830 when encountering complicated order, microcode ROM 832 is provided complete the operation needed for uop.

Some instructions can be converted into single micro--op, and other instructions need several micro--op to complete all operationss.? It in one realization, completes to instruct if necessary to more than four micro--op, then decoder 818 accesses microcode ROM 832 to carry out Instruction.One is realized, instruction can be decoded into micro--op of smallest number, in the processing of instruction decoder 818.Another In one realization, instruction can be stored in microcode ROM 832, if completing operation if necessary to multiple micro--op.Tracking is high Speed 830 fingering access point programmable logic arrays (PLA) of caching, with the correct microcommand pointer of determination, for reading microcode sequence Column, to complete the one or more instructions realized according to one from microcode ROM 832.It is completed in microcode ROM 832 After micro--op of ordering instruction, the front end 801 of machine restarts to obtain micro--op from trace cache 830.

Executing out engine 803 is preparation instruction with the place for execution.Order execution logic has multiple buffers, With instruction along assembly line downwards and be scheduled for execute when, smoothing processing and rearrangement instruction stream with optimization property Energy.Dispatcher logic distributes each uop needs so as to the machine buffer and resource of execution.Register renaming logic is by logic Register renaming is in the entry into register file.It is (memory scheduler, fast scheduler 802, slow in instruction scheduler Speed/general floating point scheduler 804 and simple floating point scheduler 806) front, distributor is also that (one for depositing for two uop queues Reservoir operation, and one for non-memory operate) one of in each uop distribute entry.Uop scheduler 802,804, 806 are needed based on the preparation in its correlated inputs register operand source and uop to complete the available of the execution resource of its operation Property, determine when uop is ready to execute.The fast scheduler 802 of one realization can be in the every half period of master clock cycle It is scheduled, and other schedulers can only be dispatched once every primary processing unit clock cycle.Scheduler is carried out for assigning port Ruling is to dispatch uop for executing.

Register file 808,810 be located at execution unit 812 in scheduler 802,804,806 and perfoming block 811,814, 816, between 818,810,812,814.Independent register file 808,810 is respectively present for integer and floating-point operation.One reality Existing each register file 808,810 further includes bypass network, can bypass or forward not yet write-in deposit to new related uop The result just completed in device heap.Integer register file 808 and flating point register heap 810 also can mutually transmit data.It is right It is realized in one, integer register file 808 is divided into two individual register files, and a register file is used for the low order of data 32, and the second register file is used for high-order 32 of data.The flating point register heap 810 of one realization has 128 bit wides Entry, because of the operand that floating point instruction typically has on width from 64 to 128.

Perfoming block 811 include execution unit 812,814,816,818,810,812,814(actually executes instruction wherein). This part includes the register file 808,810 of storage integer and floating-point data operation value (microcommand needs it to execute).One The processing unit 800 of a realization includes multiple execution units: scalar/vector (AGU) 812, AGU 814, quick ALU 816, quick ALU 818, at a slow speed ALU 810, floating-point ALU 812, floating-point mobile unit 814.One is realized, floating-point executes Block 812,814, execute floating-point, MMX, SIMD and SSE or other operations.One realization floating-point ALU 812 include 64 × 64 Floating-point dividers are to execute division, square root and the micro--op of remainder.Realization for the disclosure is related to the instruction of floating point values It can be disposed by floating point hardware.

In one implementation, ALU operation can go to high speed ALU execution unit 816,818.The quick ALU of one realization 816,818 fast operating can be executed by effective time delay of clock cycle half.One is realized, most complicated integer behaviour 810 ALU at a slow speed are gone to, because ALU 810 includes the integer execution hardware for long delay type operations at a slow speed, are such as multiplied Musical instruments used in a Buddhist or Taoist mass, displacement, mark logic and branch process.Memory load/store operations are executed by AGU 812,814.For a reality Existing, integer ALU 816,818,810 is in the described in the text up and down that 64 data operands are executed with integer operation.In alternative realizations In, it can be achieved that ALU 816,818,810 to support various data bit, including 16,32,128,256 etc..It is similarly, it can be achieved that floating Dot element 812,814 is to support the sequence of operations number with various width bits.One is realized, floating point unit 812,814 128 bit wide packaged data operands are operated in combination with SIMD and multimedia instruction.

In one implementation, loaded before (parent load) completed execution in father, uop scheduler 802,804, 806 assign relevant operation.When speculatively dispatching in processing unit 800 and executing uop, processing unit 800 further includes place Set the logic of memory miss.If data load miss in data high-speed caching, execution may be present in assembly line In (in flight) relevant operation, leave temporary incorrect data for scheduler.Replay mechanism is tracked and is re-executed Use the instruction of incorrect data.It needs to reset only relevant operation, and allows to complete independent operation.One reality of processing unit Existing scheduler and replay mechanism is also designed to capture the instruction sequence for being used for text character string comparison operation.

Processing unit 800 further include according to one realize the logic of isolation is provided in virtualization system using inter-trust domain Processing unit 800.In one implementation, the perfoming block 811 of processing unit 800 may include TDRM 180, MOT 160, TDCS 124 and TDTCS 128 in virtualization system to provide isolation using inter-trust domain according to description herein.

Term " register " can refer to can be used as identifying processing unit storage location on the plate of the part of the instruction of operand.It changes Yan Zhi, register can be those workable registers except processing unit (for the angle of programmer).However, real Existing register should be not limited to the circuit of concrete type in the sense.On the contrary, realize register can storing data and Data are provided, and execute functions described in this article.Any amount of different technologies can be used in register described herein It is realized by the circuit in processing unit, such as dedicated physical register is deposited using the dynamic allocation physics of register renaming Device, combination that is dedicated and dynamically distributing physical register etc..In one implementation, integer registers store 32 integer datas. The register file of one realization also includes 8 multimedia SIM D registers for packaged data.

Register, is interpreted as being designed to keeping the data register of packaged data by the discussion for this paper, such as from 64 in the micro treatmenting device of the Intel Corporation of California Santa Clara enabled by MMX technology Bit wide MMX register (is also referred to as " mm " register) in some instances.In both integer and relocatable it is available this A little MMX registers can operate together with the packaged data element instructed with SIMD and SSE.Similarly, with SSE2, SSE3, The related 128 bit wide XMM register of SSE4 or more highest version (commonly referred to as " SSEx ") technology can also be used for keeping such packing Data operand.In one implementation, in storage packaged data and integer data, register is not needed in two kinds of data types Between distinguish.In one implementation, integer and floating-point or be included in identical register file or be included in different registers heap in.This Outside, in one implementation, floating-point and integer data are storable in different registers or identical register.

Realizing can realize in many different system types.It is filled referring now to Figure 9, showing according to the multiprocessing of realization Set the block diagram of system 900.As shown in Figure 9, multiprocessing apparatus system 900 is point-to-point interconnection system, and including via The first processing unit 970 and second processing device 980 that point-to-point interconnection 950 couples.As shown in Figure 9, processing unit 970 It can be multicore processing unit, including the first and second processing unit core (not shown) with each of 980, although filling in processing Potentially there may be many more cores in setting.According to the realization of the disclosure, processing unit respectively may include that mould is write in mixing Formula logic.There is provided in virtualization system using inter-trust domain isolation realization can processing unit 970, processing unit 980 or It is realized in the two.

Although showing tool, there are two processing units 970,980, it is understood that the scope of the present disclosure is not so limited.? In other realizations, one or more additional handling devices may be present in given processing unit.

The processing unit 970 and 980 for respectively including integrated memory controller unit 972 and 982 is shown.Processing unit 970 further include part of point-to-point (P-P) interface 976 and 978 as its bus control unit unit；Similarly, second processing fills Setting 980 includes P-P interface 986 and 988.Processing unit 970,980 can use P-P interface electricity via point-to-point (P-P) interface 950 Road 978,988 exchanges information.As shown in Figure 9, processing unit is coupled to respective memory by IMC 972 and 982, that is, is stored Device 932 and memory 934, can be the part for being locally attached to the main memory of respective handling device.

Processing unit 970,980 can respectively via independent P-P interface 952,954 using point-to-point interface circuit 976,994, 986,998 information is exchanged with chipset 990.Chipset 990 can also be via high performance graphics interface 939 and high performance graphics circuit 938 exchange information.

Shared cache (not shown) can be included in any processing unit or two processing units outside, still via P- P interconnection is connect with processing unit, so that the local cache information of either one or two processing unit can be stored in shared height In speed caching (if processing unit is placed in low-power mode).

Chipset 990 can be coupled to the first bus 916 via interface 996.In one implementation, the first bus 916 can be with It is that peripheral component interconnects (PCI) bus, or bus or another third generation I/O interconnection bus of such as PCI Express bus, Although the scope of the present disclosure is not so limited.

As shown in Figure 9, various I/O devices 914 can be coupled to the first bus 916, couple together with by the first bus 916 To the bus bridge 918 of the second bus 920.In one implementation, the second bus 920 can be low pin number (LPC) bus.It is various Device can be coupled to the second bus 920, all for example including keyboard and/or mouse 922, communication device 927 and storage unit 928 It such as disk drive or in one implementation may include other mass storage devices of instructions/code and data 930.In addition, sound Frequency I/O 924 can be coupled to the second bus 920.It is noted that other frameworks are possible.For example, instead of the point-to-point frame of Fig. 9 Structure, system can realize multi-point bus or other such frameworks.

Referring now to Figure 10, showing the block diagram of the third system 1000 according to the realization of the disclosure.In Fig. 9 and Figure 10 Similar element has similar appended drawing reference, and Fig. 9's in some terms, to avoid making figure has been omitted from Figure 10 10 other aspects are fuzzy.

Figure 10, which shows processing unit 970,980, can respectively include integrated memory and I/O control logic (" CL ") 972 Hes 982.For at least one realization, CL 972,982 may include integrated memory controller unit (all as described herein). In addition, CL 972,982 may also comprise I/O control logic.Fig. 9 shows memory 932,934 and is coupled to CL 972,982, with And I/O device 1014 is also coupled to control logic 972,982.It leaves I/O device 1015 and is coupled to chipset 990.Using credible The realization that domain provides isolation in virtualization system can be realized in processing unit 970, processing unit 980 or both.

Figure 11 is example system on chip (SoC), may include one or more of core 1102.For calculating on knee Machine, desktop PC, Hand held PC, personal digital assistant, engineering work station, server, network equipment, network backbone, exchange Machine, embedded processing device, digital signal processing device (DSP), graphics device, video game apparatus, set-top box, microcontroller Other system designs known in the art of device, mobile phone, portable media player, hand-held device and various other electronic devices It is also to be suitble to configuration.In general, in conjunction with processing unit as disclosed herein and/or other the various each of logic can be executed Sample system or electronic device are usually to be suitble to.

Referring now to Figure 11, showing the block diagram of the SoC 1100 according to the realization of the disclosure.In addition, dotted line frame is higher Feature on grade SoC.In Figure 11, one or more interconnecting units 1102 are coupled to: applying processing unit 1110 comprising one The set of a or multiple shared cache elements 1106 and one or more core 1102A-N；System agent unit 1112；One A or multiple bus control unit units 1116；One or more integrated memory controller units 1114；Media processor 1120 set or one or more media processor 1120, may include integrated graphics logic 1108, for provide it is static and/ Or the functional image processing apparatus 1124 of video camera, for provide hardware audio acceleration apparatus for processing audio 1126 and For providing the video process apparatus 1128 of encoding and decoding of video acceleration；Static Random Access Memory (SRAM) unit 1130； Direct memory access (DMA) (DMA) unit 1132；And the display unit 1140 for being coupled to one or more external displays. The realization for being provided isolation in virtualization system using inter-trust domain can be realized in SoC 1100.

Figure 12 is turned next to, the realization of the SoC design of the realization according to the disclosure is depicted.As illustrated examples, SoC 1200 is included in user equipment (UE).In one implementation, UE refer to be used by end subscriber it is any with what is communicated Device, for example, hand-held phone, smart phone, tablet computer, ultra-thin notebook, the notebook with broadband adapter or it is any its Its similar communication device.UE may be coupled to base station or node, and base station or node substantially can correspond in GSM network Movement station (MS).The realization for being provided isolation in virtualization system using inter-trust domain can be realized in SoC 1200.

Here, SoC 1220 includes 2 cores -1206 and 1207.Similarly as described above, core 1206 and 1207 can accord with Close instruction set architecture, such as the processing unit with Intel framework Core, Advanced Micro Devices, Inc. (AMD) processing unit, processing unit based on MIPS, the design of the processing unit based on ARM or its client and they permitted It can people or adopter.Core 1206 and 1207 is coupled to cache control 1208, cache control 1208 and bus interface list 1209 and L2 of member cache 1210 is associated with to communicate with the other parts of system 1200.Interconnection 1211 includes that on piece interconnects, example Such as the other interconnection of IOSF, AMBA or discussed above, described disclosed one or more aspects may be implemented.

Interconnection 1211 to other components provide communication channel, such as subscriber identity module (SIM) 1230 with SIM card pair It connects, guides ROM 1235 and be used to initialize and guide SoC 1200 by the execution of core 1206 and 1207 to keep guidance code, Sdram controller 1240 with external memory (such as DRAM 1260) to dock, and flash controller 1245 with non-volatile to deposit Reservoir (such as flash memory 1265) docking, peripheral hardware control 1250(such as Serial Peripheral Interface (SPI)) to be docked with peripheral hardware, coding and decoding video Device 1220 and video interface 1225 are to show and receive input (for example, touching enabled input), and GPU 1215 is to execute figure phase Close calculating etc..It can be in conjunction with the aspect of realization described herein in any of these interfaces.

In addition, the system shows the peripheral hardware for communication, such as bluetooth module 1270,3G modem 1275, GPS 1280 and Wi-Fi 1285.Note that as stated above, UE includes the radio for communication.As a result, may It does not include all these peripheral communication modules.However, should include the wireless of a certain form for PERCOM peripheral communication in UE Electricity.

Figure 13 shows the graphical representation of the machine of the exemplary forms using computing system 1300, can in computing system 1300 To execute for making machine execute the instruction set of any one or more methodology discussed in this article.In alternative realizations, Machine can connect the other machines of (such as networking) into LAN, Intranet, extranet or internet.Machine can be using visitor The ability of server or client terminal device in family end-server network environment or as equity (or distributed) network environment In peer machines operate.Machine can be personal computer (PC), tablet PC, set-top box (STB), personal digital assistant (PDA), cellular phone, web facility, server, network router, interchanger or bridge, or it is able to carry out instruction set (sequence Or in other ways) machine, described instruction specifies the movement to be taken by the machine.Although in addition, only showing single machine Device, but term " machine " is also understood to include independent or joint set of instructions (or multiple set) and is begged for herein with executing Any set of the machine of any one or more of methodology of opinion.It converts page and partial realization can be in computing system 1300 Middle realization.

Computing system 1300 include processing unit 1302, main memory 1304(for example, read-only memory (ROM), flash memory, Dynamic random access memory (DRAM) (such as synchronous dram (SDRAM) or DRAM(RDRAM) etc.), static memory 1306 (for example, flash memory, Static Random Access Memory (SRAM) etc.) and data storage device 1318(its via bus 1330 each other Communication).

Processing unit 1302 indicates one or more general processing units, micro treatmenting device, central processing unit etc. Deng.More specifically, processing unit can be complex instruction set calculation (CISC) micro treatmenting device, Reduced Instruction Set Computer (RISC) micro treatmenting device, very long instruction word (VLIW) micro treatmenting device or the processing unit for realizing other instruction set, Huo Zheshi The combined processing unit of existing instruction set.Processing unit 1302, which is also possible to such as specific integrated circuit (ASIC), scene, to be compiled One or more dedicated processes of journey gate array (FPGA), digital signal processing device (DSP), network processing device etc. fill It sets.In one implementation, processing unit 1302 may include one or more processing unit cores.Processing unit 1302 is configured to hold Row processing logic 1326 is for executing the operation being discussed herein.In one implementation, processing unit 1302 can be the meter of Fig. 1 The part of calculation machine system 100.Alternatively, computing system 1300 may include other components as described herein.It should be appreciated that Core can support multithreading (executing two or more parallel operations or sets of threads), and can adopt in various manners in this way It does, (wherein single physical core is each line that physical core is simultaneous multi-threading for multithreading, simultaneous multi-threading including time slicing Journey provide Logic Core), or combinations thereof (for example, the extraction and decoding of time slicing and hereafter while multithreading, such as In Intel Hyper-Threading).

Computing system 1300 can also include the Network Interface Unit 1308 for being communicatively coupled to network 1320.Calculate system System 1300 can also include video display unit 1310(for example, liquid crystal display (LCD) or cathode ray tube (CRT)), letter Digital input unit 1312(such as keyboard), cursor control device 1314(such as mouse), signal generating apparatus 1316(for example raises Sound device) or other peripheral devices.In addition, computing system 1300 may include graphics processing unit 1322, video processing unit 1328 and audio treatment unit 1332.In a further implementation, computing system 1300 may include chipset (not shown), refer to collection At the group of circuit or chip (being designed to work together with processing unit 1302) and control processing unit 1302 and outside Communication between device.For example, chipset can be the chip set on motherboard, processing unit 1302 is linked to ultrahigh speed Device (such as main memory 1304 and graphics controller), and processing unit 1302 is linked to total compared with the peripheral hardware of low-speed peripheral Line, such as USB, PCI or isa bus.

Data storage device 1318 may include computer readable storage medium 1324, in the computer-readable storage medium Storage embodies the software 1326 of any one or more of methodology of functions described herein in matter 1324.It is calculated passing through During its execution of system 1300, software 1326, which can also completely or at least partially reside in be used as in main memory 1304, to be referred to It enables 1326 and/or resides in processing unit 1302 as processing logic 1326；Main memory 1304 and processing unit 1302 Constitute computer readable storage medium.

Computer readable storage medium 1324 can be also used for using for example just Fig. 1 describe processing unit 1302 and/or Comprising calling the software library for the method applied above to carry out store instruction 1326.Although computer readable storage medium 1324 is in example Be illustrated as being single medium in realization, but term " computer readable storage medium " be to be understood as include storage one or The single medium of multiple instruction set or multiple media are (for example, centralized or distributed database and/or associated high speed are slow Deposit and server).Term " computer readable storage medium " is also to be understood as including that can store, encode or carry to be used for The instruction set executed by machine and any medium for making machine execute any one or more methodology realized.Accordingly Ground, term " computer readable storage medium " are to be understood as including but not limited to solid-state memory and light and magnetic medium.

Following example is related to further realizing.Example 1 be it is a kind of for using inter-trust domain provided in virtualization system every From processing unit.With further reference to example 1, processing unit includes: memory ownership table (MOT), and the MOT is directed to software The accessed control of access；And processing core, with further reference to example 1, the processing core is wanted: being executed inter-trust domain (TD) and is managed The inter-trust domain resource manager (TDRM) of the TD；Inter-trust domain control structure (TDCS) is maintained to be filled for managing by the processing Set the global metadata of the TD or one or more of other TD of execution；It is come from being referred to by the TDCS and being directed to One of the accessed control of the softward interview of at least one of the TDRM, virtual machine manager (VMM) or other TD or The execution state of the TD is maintained in multiple inter-trust domain thread control structures (TD-TCS)；With reference to the MOT to be corresponded to At least one key identifier (ID) of the encryption key of the TD is assigned to, the key ID allows the processing unit to decrypt In response to the processing unit executed in the context of the TD and storage page that assign to the TD, assign to described The storage page of TD passes through the encryption keys；And the TD is assigned to obtain to correspond to reference to the MOT Host-physical memory page guest physical address, wherein the guest physical address obtained from the MOT with accessed The matching of guest physical address to allow to execute and refer in the context of the TD in response to the processing unit It is fitted on the processing unit access of the storage page of the TD.

In example 2, it includes TDRM component via extension that the theme of example 1, which can optionally include the wherein VMM, Page table (EPT) provides memory management at least one of the following: the TD, other TD or one or more virtual machines (VM).In example 3, any one theme of example 1-2 can be optionally included described in the wherein TD-TCS reference TDCS, wherein the TDCS maintains the counting of one or more TD-TCS of the logic processor corresponding to the TD, and its Described in TD-TCS store the user of the TD and execute state and management program and execute state.In example 4, example 1-3's appoints What one theme can optionally include the wherein encryption key and be encrypted by the multi-key cipher total memory of the processing unit (MK-TME) engine generates.

In example 5, any one theme of example 1-4 can optionally include the wherein MK-TME engine and generate Via multiple encryption keys that the key ID for assigning to the TD accesses, with the memory for encrypting and decrypting the TD Page, and encryption and decryption correspond to assign to the TD long-time memory storage page, and wherein the MOT via The multiple key ID is tracked with the associated key ID of each entry in the MOT.In example 6, example 1-5 Any one theme can optionally include the wherein processing core and refer to the master accessed as the part of page traversing operation The MOT of machine pages of physical memory, to access the guest-physical memory page mapped by the EPT.In example 7, example It includes the operation system for managing one or more application that any one theme of 1-6, which can optionally include the wherein TD, Unite (OS) or at least one of the VMM for managing one or more virtual machines (VM), and wherein TD enters operation The operation context of the processing core from least one of described VMM is transferred to the OS of the TD or from described TDRM is transferred to the VMM of the TD.

In example 8, any one theme of example 1-7 can optionally include the wherein TDRM and not be included in institute It states in the trusted computing base (TCB) of TD.In example 9, any one theme of example 1-8 can optionally include wherein institute Stating TDCS includes signing structure, and the signing structure captures the password measurement of the TD, and the password measurement is filled by the processing The hardware trusted root signature set, and wherein the signing structure is provided to proof side for verifying the password measurement.

In example 10, any one theme of example 1-9 can optionally include the wherein processing core and also tie up The measuring state of the TD in the TDCS is held, the TDCS is directed to from including at least the institute executed by the processing unit State the accessed control of softward interview of the software of TDRM, the other TD of the VMM or described.In example 11, example 1-10's appoints What one theme can optionally include the wherein TDRM and manage the TD and other TD.Apparatus described above All optional features can also be realized relative to method described herein and process.

Example 12 is a kind of for providing the method for isolation in virtualization system using inter-trust domain, comprising: passes through execution Inter-trust domain resource manager (TDRM) identifies TD with the processing unit for managing the inter-trust domain (TD) executed in the processing unit Exit event；In response to identifying that the TD exits event, first corresponding to the first encryption key for assigning to the TD is utilized Key identifier (ID) is assigned to so that the user of TD execution state and TD management program execution state to be saved in correspond to In the inter-trust domain thread control structure (TD-TCS) of the logic processor of the TD, the execution state is encrypted by described first Key encryption, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) for carrying out the freely processing unit execution Or the accessed control of softward interview of at least one of other TD；By the key ID state of the processing unit from described first Key ID is modified as corresponding to the second key ID of at least one of the described TDRM or VMM；And load TDRM is executed Information is exited with state of a control and the TDRM, so that the processing unit operates in the context of the TDRM.

In example 13, the theme of example 12 can be optionally included: execute TD in the context of the TDRM Entry event；Using corresponding to the second key identifier (ID) for assigning to the second encryption key of the TDRM with from corresponding to The inter-trust domain resource manager control structure (TD-RCS) for assigning to the logic processor of the TD is loaded by the TDRM Specified TDRM executes control, and the execution state is by second encryption keys, wherein the TD-RCS is used The extension page table (EPT) for coming the TD or at least one of other VM that freely the processing unit executes carrys out access control； The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID；And The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit is described It is operated in the context of TD.In example 14, any one theme of example 12-13 can optionally include wherein described TDCS and TD-TCS via the memory ownership table (MOT) of the processing unit by Confidentiality protection and access control, it is described MOT includes the first entry for the TDCS, and the first key ID is associated with the TD, wherein the MOT is utilized The first key ID come enforce correspond to the TD storage page memory access memory confidentiality.

In example 15, any one theme of example 12-14 can optionally include wherein the MOT via range The accessed control of register.In example 16, any one theme of example 12-15 can optionally include wherein from via The TD-RCS structure of the accessed control of the EPT and MOT loads the TDRM execution and state of a control, wherein described MOT includes the second entry for the TD-RCS structure, by second key ID and the physics comprising the TD-RCS Storage page association, and wherein the MOT enforces depositing corresponding to the TDRM using second key ID The memory confidentiality of the memory access of reservoir page.In example 17, any one theme of example 12-16 can be optional Ground is root VMM including the wherein VMM comprising the TDRM is to manage one or more TD, wherein the TD includes non-root VMM is to manage one or more virtual machines (VM), and wherein the TD exits the operation context by the processing core from institute The one or more of VM for stating the non-root VMM or TD are transferred to described VMM and TDRM.

In example 18, any one theme of example 12-17 can optionally include wherein the encryption key by Multi-key cipher total memory encryption (MK-TME) engine of the processing unit generates, and wherein the MK-TME engine generates warp Multiple encryption keys of the TD are assigned to the of short duration storage page or long-time memory for encrypting the TD by key ID Page, and wherein the MOT tracks the multiple encryption key ID, wherein the host-physical page one often referred in the MOT A key id.

Example 19 is a kind of for providing the system of isolation in virtualization system using inter-trust domain.In example 19, institute The system of stating includes: memory device with store instruction；And processing unit, it is operatively coupled to the memory device.Into One step reference example 19, the processing unit execute described instruction with: execute inter-trust domain resource manager (TDRM) so that manage can Believe domain (TD), wherein the TDRM does not include in the trusted computing base (TCB) of the TD；In inter-trust domain thread control structure (TD-TCS) management program of the TD is maintained to execute state and user's execution state in, the TD-TCS, which is directed to, to be come described in freedom The softward interview of at least one of the TDRM, virtual machine manager (VMM) or the other TD that processing unit executes is accessed Control；And with reference to the MOT to obtain at least one encryption key mark for corresponding to the encryption key for assigning to the TD It accords with (ID), the key ID allows the processing unit decryption in response to the processing unit in the context of the TD The storage page of the TD is executed and assigns to, the storage page for assigning to the TD passes through via the encryption key ID The encryption keys of identification；And correspond to the host-physical storage for assigning to the TD with reference to the MOT to obtain The guest physical address of device page, wherein the matching of the guest physical address and the guest physical address accessed will allow sound Processing unit described in Ying Yu executes in the context of the TD and the processing of the storage page that assigns to the TD Device access.

In example 20, it includes TDRM component via expansion that the theme of example 19, which can optionally include the wherein VMM, Exhibition page table (EPT) is one of the following or multiple provides memory management: the TD, other TD or one or more are empty Quasi- machine (VM).

In example 21, it is corresponding that any one theme of example 19-20 can optionally include the wherein TD-TCS In the logic processor of the TD, the TD-TCS exits in operation the management program execution state for storing the TD in TD State is executed with the user and loads user and the management program execution state of the TD on TD enters and operates, wherein institute TD-TCS is stated at least one of the TDRM, the other TD of the VMM or described for carrying out the freely processing unit execution The accessed control of softward interview.In example 22, any one theme of example 19-21 can optionally include wherein institute It states encryption key to be generated by multi-key cipher total memory encryption (MK-TME) engine of the processing unit, and the wherein MK- TME engine, which is generated, assigns to multiple encryption keys of the TD via key ID with the of short duration storage page for encrypting the TD Or long-time memory page, and wherein the MOT is tracked via with the associated key ID of each entry in the MOT The multiple encryption key ID.

In example 23, it includes described that any one theme of example 19-22, which can optionally include the wherein VMM, TDRM is to manage the TD, wherein the TD includes operating system (OS) or non-root VMM to manage one or more virtual machines (VM), and wherein TD enters operation the operation context of the processing core is transferred to the described non-of the TD from the TDRM Root VMM.All optional features of system described above can also be realized relative to method described herein and process.

Example 24 is a kind of non-transitory machine readable storage Jie for providing isolation in virtualization system using inter-trust domain Matter.In example 24, the non-transitory machinable medium includes data, and the data by processing unit when being accessed Executing the processing unit includes the operation of following operation: being executed when in the processing unit context of the TDRM When, TD entry event is identified with the processing unit for managing inter-trust domain (TD) by execution inter-trust domain resource manager (TDRM)；Response In identifying the TD entry event, the first key identifier corresponding to the first encryption key for assigning to the TDRM is utilized (ID) it is controlled with the TDRM for loading the TDRM from the inter-trust domain resource manager control structure (TDRCS) corresponding to the TDRM State, the TDRM state of a control is by first encryption keys, wherein the TDRCS is for the next freely described processing The accessed control of the softward interview of at least one of the other TD of the TD or described that device executes；By the processing unit Key ID state is modified as corresponding to the second key ID of the second encryption key for assigning to the TD from the first key ID； And state and TD user's execution state are executed from the management program that inter-trust domain thread control structure (TD-TCS) loads the TD, So that the processing unit operates in the context of the TD, wherein the TD-TCS is held for the freely processing unit is carried out The accessed control of the softward interview of at least one of the capable other TD of the TDRM or described.

In example 25, the theme of example 24 can be optionally included in the context of the TDRM execute TD into Incoming event；Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to finger Inter-trust domain resource manager control structure (TD-RCS) load for being fitted on the logic processor of the TD is referred to by the TDRM Fixed TDRM executes control, and the execution state is by second encryption keys, wherein the TD-RCS is used to The extension page table (EPT) of the TD or at least one of other VM that freely the processing unit executes carry out access control；It will The key ID state of the processing unit is modified as the first key ID corresponding to the TD from second key ID；And from The TD-TCS loads the user and executes state and management program execution state, so that the processing unit is in the TD Context in operate.

In example 26, the theme of example 30-31 can be optionally included wherein, and the TDCS and TD-TCS are via described For the memory ownership table (MOT) of processing unit by Confidentiality protection and access control, the MOT includes for the TDCS The first key ID is associated with by first entry with the TD, wherein the MOT forces reality using the first key ID It is applied to the memory confidentiality of the memory access of the storage page corresponding to the TD.In example 27, the master of example 30-32 Topic can optionally include the wherein MOT and control via range registers are accessed.

In example 28, the theme of example 30-33 can be optionally included wherein from via the EPT and the MOT quilt The TD-RCS structure of access control loads the TDRM execution and state of a control, wherein the MOT includes being used for the TD- Second key ID is associated with by the second entry of RCS structure with the pages of physical memory comprising the TD-RCS, and its Described in MOT enforce using second key ID memory access of the storage page corresponding to the TDRM Memory confidentiality.

In example 29, it is root VMM that the theme of example 30-34, which can optionally include the wherein VMM, comprising described TDRM is to manage one or more TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and its Described in TD exit the operation context of the processing core from one or more of VM of the non-root VMM or TD turn Move on to described VMM and TDRM.In example 30, the theme of example 30-35 can optionally include the wherein encryption key It is generated by multi-key cipher total memory encryption (MK-TME) engine of the processing unit, and wherein the MK-TME engine generates Multiple encryption keys of the TD are assigned to via key ID with the of short duration storage page or persistent storage for encrypting the TD Device page, and wherein the MOT tracks the multiple encryption key ID, wherein the host-physical page often referred in the MOT One key id.

Example 31 is to provide the equipment of isolation in virtualization system using inter-trust domain, comprising: for being held by processing unit To manage the component of inter-trust domain (TD), the TD is executed row inter-trust domain resource manager (TDRM) by the processing unit；For Maintain inter-trust domain control structure (TDCS) for managing one in the TD or other TD that are executed by the processing unit Or the component of multiple global metadatas；For for from the TDRM, virtual machine manager (VMM) or described other Dimension in one or more inter-trust domain thread control structures (TD-TCS) of the accessed control of the softward interview of at least one of TD Hold the component of the execution state of the TD；Correspond to the encryption key for assigning to the TD for obtaining with reference to the MOT The component of at least one key identifier (ID), the key ID allow the processing unit to exist in response to the processing unit The secret of storage page for executing in the context of the TD and assigning to the TD accesses, and assigns to the described of the TD Storage page passes through the encryption keys；And correspond to the master for assigning to the TD for obtaining with reference to the MOT The component of the guest physical address of machine pages of physical memory, wherein the guest physical address obtained from the MOT with visited The matching for the guest physical address asked to allow to execute in the context of the TD in response to the processing unit and Assign to the processing unit access of the storage page of the TD.In example 32, the theme of example 31 can be optional Ground include be further configured to include any one theme of example 2 to 11 equipment.

Example 33 be for using inter-trust domain to provide the system of isolation in virtualization system, including, the system comprises The memory device of store instruction and the processing core for being operatively coupled to the memory device.With further reference to example 33, the processing core is wanted: executing inter-trust domain resource manager (TDRM) to manage the inter-trust domain executed in the processing unit (TD)；Identification TD exits event；In response to identifying that the TD exits event, using corresponding to the first encryption for assigning to the TD The first key identifier (ID) of key executes state so that the user of the TD is executed state and TD management program and is saved in pair Ying Yu is assigned in the inter-trust domain thread control structure (TD-TCS) of the logic processor of the TD, and the execution state passes through institute The first encryption keys are stated, wherein the TD-TCS is for the TDRM, the virtual machine for carrying out the freely processing unit execution The accessed control of the softward interview of at least one of manager (VMM) or other TD；By the key ID shape of the processing unit State is modified as corresponding to the second key ID of at least one of the described TDRM or VMM from the first key ID；And Load TDRM is executed and state of a control and the TDRM exit information so that the processing unit the TDRM up and down It is operated in text.In example 34, the theme of example 33 can optionally include any one theme of example 13 to 18.

Example 35 is for realizing using inter-trust domain to provide the equipment of isolation in virtualization system comprising memory and It is coupled to the processing unit of the memory, wherein the processing unit will execute any one method of example 12-18.Show Example 36 is for realizing using inter-trust domain to provide the equipment of isolation in virtualization system, including for executing example 12 to 18 The component of any one method.Example 37 is at least one machine readable media comprising in response on the computing device by Execute the multiple instruction for making computing device execute any one method according to example 12-18.Details in example can be It is used from anywhere in one or more embodiments.

Although describing the disclosure relative to the realization of limited quantity, those skilled in the art will be from favorite Know many modifications and variations.Be intended that appended claims covering fall into the true spirit and range of the disclosure it is all this Class modifications and variations.

In description herein, many specific details, such as certain types of processing unit and system configuration, spy are elaborated Determine hardware configuration, certain architectures and micro-architecture details, particular register configuration, specific instruction type, particular system components, specific The example of measurement/height, particular procedure device flow line stage and operation etc., in order to provide the thorough understanding to the disclosure.So And it will be apparent to those skilled in the art that, it does not need to implement the disclosure using these specific details.Other In example, well-known component or method, such as specific and alternative processing unit framework, patrol for the specific of algorithm of description Collect circuit/code, certain firmware code, specific interconnected operation, particular logic configuration, certain fabrication techniques and material, specific volume Translate device realize, the particular expression of algorithm in code, specific power-off and gating technology/logic and computer system it is other Specific operation details is not described in detail to avoid unnecessarily obscuring the disclosure.

Inter-trust domain is used to virtualize with reference in specific integrated circuit (such as in computing platform or micro treatmenting device) Isolation is provided in system to describe to realize.The realization can also be applicable to other types of integrated circuit and programmable logic Device.For example, disclosed is practiced without limitation to desktop computer systems or portable computer, such as Intel Ultrabooks computer.And it may be also used in other devices, such as hand-held device, tablet computer, other slim pens Remember this computer, system on chip (SoC) device and Embedded Application.Some examples of hand-held device include cellular phone, internet Protocol apparatus, digital camera, PDA(Personal Digital Assistant) and Hand held PC.Embedded Application typically comprises microcontroller, number Signal processing apparatus (DSP), system on chip, network computer (NetPC), set-top box, network backbone, wide area network (WAN) exchange Machine or any other system that the function and operation instructed below can be executed.Describe the system can be it is any kind of Computer or embedded system.Disclosed realization can be particularly used for low-end devices, as wearable device is (for example, hand Table), electronics implantation material, sensing and control infrastructure equipment, controller, Supervised Control and data acquisition (SCADA) system etc. Deng.In addition, equipment described herein, method and system are not limited to physical computing device, it is also possible to being related to for energy conservation and The software optimization of efficiency.It becomes easy in as will be described in the following it will be apparent that method described herein, equipment and system Realizing and (either referring to hardware, firmware, software or a combination thereof) is for following " green technology " with performance considerations balance It is vital.

Although reference process device describes the realization of this paper, other realizations are applicable to other types of integrated electricity Road and logic device.The similar techniques of the realization of the disclosure and introduction can be applied to can from higher assembly line handling capacity and The other types of circuit or semiconductor device of improved gain in performance.The introduction of the realization of the disclosure is applicable to execute data Any processing unit or machine of manipulation.However, the present disclosure is not limited to execute 512,256,128,64,32 or 16 The processing unit or machine of position data manipulation, and can be applied to any processing dress of the manipulation for wherein executing data or management It sets and machine.In addition, description herein provides example, and attached drawing shows various examples for purpose of explanation.However, this A little examples should not be explained with restrictive sense, because they are intended merely to provide the example of the realization of the disclosure, without being to provide this All full lists in the cards of disclosed realization.

Although following example describes instruction disposition and distribution in the context of execution unit and logic circuit, Other realizations of the disclosure can be realized by the data that are stored on machine readable tangible medium or instruction, by machine Device makes machine execute at least one realization consistent function with the disclosure when executing.In one implementation, with the reality of the disclosure Existing associated function embodiment is in machine-executable instruction.Described instruction can be used for making the general or specialized place by instruction programming Manage the step of device executes the disclosure.The realization of the disclosure may be provided as computer program product or software, can wrap It includes with the instruction machine or computer-readable medium that are stored thereon, described instruction can be used for computer (or other electricity Sub-device) it is programmed to execute one or more operations of the realization according to the disclosure.Alternatively, the behaviour of the realization of the disclosure Make to be executed by the specific hardware components comprising the fixed function logic for executing operation, or the computer by programming Any combination of component and fixed function hardware component executes.

For being programmed to logic to execute in the memory that the instruction of the realization of the disclosure can store in systems, Such as DRAM, cache, flash memory or other storage devices.In addition, instruction can via network or by other computers can Medium is read to distribute.Therefore, machine readable media may include for be stored by the readable form of machine (for example, computer) Or transmission information any mechanism, but be not limited to floppy disk, CD, compact disc read-only memory (CD-ROM) and magneto-optic disk, only Reading memory (ROM), random-access memory (ram), erasable programmable read only memory (EPROM), electric erasable can be compiled Journey read-only memory (EEPROM), magnetic or optical card, flash memory or tangible machine-readable storage device are (via electricity, light, sound Or the transmitting signal (for example, carrier wave, infrared signal, digital signal etc.) of other forms in internet transmissions information by using ).Correspondingly, computer-readable medium includes suitable for be stored or be passed by the readable form of machine (for example, computer) Any kind of tangible machine-readable medium of power transmission sub-instructions or information.

Design can be passed through from the various stages for being created to simulation to manufacture.Indicate that the data of design can be indicated with many modes The design.Firstly, hardware description language or another functional description language can be used to indicate for hardware as useful in simulations. In addition, can produce the circuit level model with logic and/or transistor gate in certain stages of design process.In addition, most of It designs and reaches the data level of the physical placement of the various devices in expression hardware model in a certain stage.Wherein using conventional half In the case where conductor manufacturing technology, indicate the data of hardware model can be specify the mask for generating integrated circuit not With the data that there are or lack various features on mask layer.In any expression of design, data are storable in any type of In machine readable media.Memory or magnetically or optically storage device (such as disk) can be machine readable media, with storage via Modulation is generated in other ways to transmit this type of information of the light wave of information or electric wave transmission.In transmission instruction or carry code Or design electric carrier wave when, for being carried out the duplication of electric signal, buffering or retransfer, carry out new duplication.To communication Provider or network provider at least can temporarily store the object for embodying the technology that the disclosure is realized in tangible machine-readable medium Product, the information being such as encoded in carrier wave.

Module as used herein refers to any combination of hardware, software and/or firmware.As an example, module include with it is non- The associated hardware of fugitive medium (such as microcontroller), to store the code for being suitable for being executed by microcontroller.Therefore, at one In realization, hardware is referred to the reference of module, is specifically configured to distinguish and/or execute and to be maintained in non-transitory medium Code.In addition, in a further implementation, the use of module refers to the non-transitory medium including code, the code is specifically fitted It executes in by microcontroller to execute predetermined operation.And as may infer that, in another realization, term module (is shown herein In example) it can refer to the combination of microcontroller and non-transitory medium.Frequently, individual module alignment is shown as usually to change simultaneously Potentially it is overlapped.For example, the first and second modules can share hardware, software, firmware or combinations thereof, while potentially retaining certain One independent hardware, software or firmware.In one implementation, the use of terminological logic include such as transistor, register or its The hardware of its hardware (such as programmable logic device).

In one implementation, the use of phrase " being configured to " refer to arrangement, put together, manufacture, offering for sale, importing and/ Or design equipment, hardware, logic or element are to execute task that is specified or determining.In this example, the equipment not operated or its Element still " being configured to " executes specified task (if it is designed, couples and/or interconnects to execute described specified appoint Business).As pure illustrated examples, logic gate can provide 0 or 1 during operation.But " being configured to " provides to clock The logic gate of enable signal does not include each the potential logic gate that may provide 1 or 0.On the contrary, logic gate is with one party The logic gate of formula coupling (1 or 0 output will enable clock during operation).Again, it is to be noted that not required using term " being configured to " Operation, but opposite focus is in the sneak condition of equipment, hardware and/or element, wherein in sneak condition, when equipment, hardware And/or element is in operation, equipment, hardware and/or element are designed to execute specific tasks.

In addition, in one implementation, referred to using phrase " to ", " can/can with " and/or " can operate with " with such Mode designs to use equipment, logic, hardware and/or a certain equipment of element, logic, hardware by the way of specified And/or element.As noted above, in one implementation, to, can with or can operate with use refer to equipment, logic, hard The sneak condition of part and/or element, wherein equipment, logic, hardware and/or element are designed not in operation but using such mode To enable using equipment by the way of specified.

As it is used herein, value includes any known table of number, state, logic state or binary logic state Show.In general, the use of logic level, one or more logical values is also referred to as 1 and 0, it is merely representative of binary logic state. For example, 1 refers to high logic level and 0 finger low logic level.In one implementation, the storage of such as transistor or flash cell Unit can be able to maintain single logical value or multiple logical values.However, other expressions of the value in computer system have used. For example, decimal number 10 can also be expressed as binary value 1010 and hexadecimal letter A.Therefore, value includes being able to maintain Any expression of information in computer system.

In addition, state can be indicated by the part for being worth or being worth.As an example, the first value of such as logic 1 can be with table Show default or original state, and the second value of such as logical zero can indicate non-default state.In addition, in one implementation, term Resetting and setting respectively refer to default and updated value or state.For example, default value potentially includes high logic value, that is, reset, and more New value includes potentially low logic value, that is, is arranged.Note that can use any combination of value to indicate any amount of state.

The realization of the method, hardware, software, firmware or the code that are set forth above can be via being stored in machine-accessible, machine Device is readable, computer is addressable or the code that can be performed by processing element on computer-readable medium or instruction are realized.It is non- Temporary machine-accessible/readable medium includes providing (that is, storage and/or transmission) using by machine (such as computer or electricity Subsystem) readable form information any mechanism.For example, non-transitory machine accessible medium includes such as static state RAM (SRAM) or the random-access memory (ram) of dynamic ram (DRAM)；ROM；Magnetically or optically storage medium；Flash memory device；Electricity storage Device；Light storage device；Sound storage device；For keeping from temporary (propagation) signal (for example, carrier wave, infrared signal, number Signal) received information other forms storage device；Deng will be with the non-transitory medium area that can therefrom receive information Point.In the memory that instruction for executing the realization of the disclosure to programming in logic is storable in system, such as DRAM, height In speed caching, flash memory or other storage devices.In addition, instruction can distribute via network or by other computer-readable mediums. To which machine readable media may include for storing or transmitting appointing using the information by machine (such as computer) readable form What mechanism, but be not limited to floppy disk, CD, compact disc read-only memory (CD-ROM) and magneto-optic disk, read-only memory (ROM), with Machine accesses memory (RAM), erasable programmable read only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic or optical card, flash memory or on the internet via electricity, light, sound or other forms transmitting signal (such as carrier wave, Infrared signal, digital signal etc.) transmit tangible machine readable storage devices used in information.Correspondingly, computer-readable Jie Matter include suitable for storage or transmission using by machine (such as computer) readable form e-command or information it is any Type tangible machine-readable medium.

Entire this specification means to contact the specific spy for realizing description to the reference of " realization " or " realization " Sign, structure or characteristic are included at least one realization of the disclosure.Therefore, entire this specification occurs in various positions Phrase " in one implementation " is not necessarily all referring to identical realization " in the implementation ".In addition, specific features, structure or characteristic It can combine in any suitable manner in one or more implementations.

In the foregoing specification, it is realized by reference to specific demonstration and gives detailed description.However, it will be evident that , it can be carry out various modifications and be changed without departing from the wider of the disclosure illustrated in such as the appended claims General spirit and scope.Correspondingly, the description and the appended drawings are considered using descriptive sense rather than limited meaning.This Outside, the aforementioned use of realization, embodiment and/or other exemplary languages not necessarily refers to identical realization or identical example, still It can refer to different and different realization and potentially identical realization.

Detailed description is presented in terms of the algorithm of the operation to data bit in computer storage and symbol expression Some parts.These algorithm descriptions and expression are by the technical staff of data processing field to be used to that most effectively they work Essence is communicated to the means of others skilled in the art.Algorithm herein and be generally considered to be cause expected result from The consistent sequence of operation.Operation is that those of physical manipulation physical quantity is required to operate.In general, although not necessarily, this tittle Taking can be by storage, the form of the electric signal or magnetic signal that transmission, combine, compare and manipulate in other ways.Sometimes, mainly For usually used reason, it has proved that these signals are known as positions, value, element, symbol, character, term, number etc. to be Easily.Described herein piece can be hardware, software, firmware or combinations thereof.

However, it should be remembered that all these and similar terms and will be only to be applied to register appropriate The facilitate label of this tittle.Unless be expressly recited with other way as apparent from the above discussion, otherwise, it is realized that In entire description, using such as " definition ", " reception ", " determination ", " publication ", " link ", " association ", " acquisition ", " certification ", The discussion of the term of " forbidding ", " execution ", " request ", " communication " etc. refers to the movement of computing system or similar computing electronics And process, manipulate and will be indicated as the data of the amount of the physics (for example, electronics) in the register and memory of computing system It is transformed into similar be expressed as in computing system memory or register or other this type of information storage devices, transmission or display device Physical quantity other data.

Word " example " or " demonstration " are herein for meaning to be used as an example, instance, or description.Here depicted as " showing Any aspect or design of example " or " demonstration " are not necessarily to be construed as or tool advantage more preferred than other aspects or design.On the contrary, using Concept is presented in word " example " or " demonstration " intention in specific ways.As used in this specification, term "or" is intended to meaning The "or" of inclusive rather than exclusive "or".That is, being clearly " X unless otherwise specified or from the context Including A or B " it is intended to mean that any natural inclusive arrangement.That is, if X includes A；X includes B；Or X includes A and B two Then person meets " X includes A or B " under any previous examples.In addition, being preced with as used in the application and appended claims Word " one (a and an) ", which is generally understood that, means " one or more ", understands unless otherwise specified or from context Ground is directed to singular.In addition, using term " embodiment " or " one embodiment " or " realization " in the whole text except description of being far from it Or " realization " is not intended to mean identical embodiment or realization.In addition, term " first " as used herein, " the Two ", " third ", " the 4th " etc. are intended as the label for distinguishing between different elements, and according to their number It is specified to not necessarily have sequence meaning.

The disclosure also discloses one group of technical solution, as follows:

A kind of processing unit of technical solution 1., the processing unit include:

Memory ownership table (MOT), the MOT is for the accessed control of softward interview；And

Core is handled, the processing core is wanted:

Execute the inter-trust domain resource manager (TDRM) of inter-trust domain (TD) and the management TD；

Maintain inter-trust domain control structure (TDCS) for managing in the TD or other TD that are executed by the processing unit One or more global metadatas；

It is being referred to by the TDCS and is being directed in the TDRM, virtual machine manager (VMM) or other TD extremely The TD is maintained in one or more inter-trust domain thread control structures (TD-TCS) of few accessed control of one softward interview Execution state；

With reference to the MOT to obtain at least one key identifier (ID) for corresponding to the encryption key for assigning to the TD, institute Stating key ID allows the processing unit decryption to execute and assign in the context of the TD in response to the processing unit The storage page of the TD, the storage page for assigning to the TD pass through the encryption keys；And

With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein The matching of the guest physical address obtained from the MOT and the guest physical address accessed will allow in response to described Processing unit executes in the context of the TD and the access of the processing unit of the storage page that assigns to the TD.

The processing unit as described in technical solution 1 of technical solution 2., wherein the VMM includes TDRM component via expansion Open up page table (EPT) and provide memory management at least one of the following: the TD, other TD or one or more are virtual Machine (VM).

The processing unit as described in technical solution 1 of technical solution 3., wherein the TD-TCS refers to the TDCS, wherein The TDCS maintains the counting of one or more TD-TCS of the logic processor corresponding to the TD, and the wherein TD- The user that TCS stores the TD executes state and management program executes state.

The processing unit as described in technical solution 1 of technical solution 4., wherein the encryption key is by the processing unit Multi-key cipher total memory encrypts (MK-TME) engine and generates.

The processing unit as described in technical solution 4 of technical solution 5., wherein the MK-TME engine is generated via assigning to Multiple encryption keys of the key ID access of the TD, with the storage page for encrypting and decrypting the TD, Yi Jijia It is close and decryption correspond to assign to the TD long-time memory storage page, and wherein the MOT via with the MOT In each entry associated key ID track the multiple key ID.

The processing unit as described in technical solution 2 of technical solution 6., wherein the processing core, which refers to, is used as page traversing operation The accessed host-physical memory page in part the MOT, to access the guest-physical memory mapped by the EPT Page.

The processing unit as described in technical solution 1 of technical solution 7., wherein the TD includes at least one of the following: The VMM for managing the operating system (OS) of one or more application or for managing one or more virtual machines (VM), And wherein TD enters operation so that the operation context of the processing core is transferred to the TD from least one of described VMM The OS or the VMM of the TD is transferred to from the TDRM.

The processing unit as described in technical solution 1 of technical solution 8., wherein the TDRM does not include in the credible of the TD It calculates in base (TCB).

The processing unit as described in technical solution 1 of technical solution 9., wherein the TDCS includes signing structure, the label The password measurement of TD described in name structures capture, the password measurement are signed by the hardware trusted root of the processing unit, and its Described in signing structure be provided to proof side for verifying password measurement.

The processing unit as described in technical solution 1 of technical solution 10., wherein the processing core will also maintain the TDCS In the TD measuring state, the TDCS is directed to from including at least the TDRM executed by the processing unit, institute State the accessed control of softward interview of the software of the other TD of VMM or described.

The processing unit as described in technical solution 1 of technical solution 11., wherein the TDRM manage the TD and it is described its Its TD.

A kind of method of technical solution 12., which comprises

By executing inter-trust domain resource manager (TDRM) to manage the place of the inter-trust domain executed in processing unit (TD) Reason device identification TD exits event；

In response to identifying that the TD exits event, the first key mark corresponding to the first encryption key for assigning to the TD is utilized Know symbol (ID) and assigns to the TD so that the user of TD execution state and TD management program execution state to be saved in correspond to Logic processor inter-trust domain thread control structure (TD-TCS) in, the execution state is added by first encryption key It is close, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) or other for carrying out the freely processing unit execution The accessed control of the softward interview of at least one of TD；

The key ID state of the processing unit is modified as corresponding in the TDRM or VMM from the first key ID The second key ID of at least one；And

Load TDRM is executed and state of a control and the TDRM exit information, so that the processing unit is the TDRM's It is operated in context.

Method of the technical solution 13. as described in technical solution 12, further includes:

TD entry event is executed in the context of the TDRM；

Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to assignment Inter-trust domain resource manager control structure (TD-RCS) load to the logic processor of the TD is specified by the TDRM TDRM execute control, the execution state by second encryption keys, wherein the TD-RCS be used to from The extension page table (EPT) of the TD or at least one of other VM that are executed by the processing unit are come access control；

The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID； And

The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit exists It is operated in the context of the TD.

Method of the technical solution 14. as described in technical solution 13, wherein the TDCS and TD-TCS is via the processing For the memory ownership table (MOT) of device by Confidentiality protection and access control, the MOT includes first for the TDCS The first key ID is associated with by entry, the first entry with the TD, wherein the MOT using the first key ID come Enforce the memory confidentiality of the memory access of the storage page corresponding to the TD.

Method of the technical solution 15. as described in technical solution 12, wherein the MOT is via the accessed control of range registers System.

Method of the technical solution 16. as described in technical solution 14, wherein from via the accessed control of the EPT and MOT The TD-RCS structure of system loads the TDRM execution and state of a control, wherein the MOT includes tying for the TD-RCS Second key ID is associated with by the second entry of structure, the second entry with the pages of physical memory comprising the TD-RCS, And wherein the MOT enforces the memory of the storage page corresponding to the TDRM using second key ID The memory confidentiality of access.

Method of the technical solution 17. as described in technical solution 12, wherein the VMM is root VMM comprising the TDRM To manage one or more TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and wherein institute State TD exit by it is described processing core operation context be transferred to from one or more of VM of the non-root VMM or TD Described VMM and TDRM.

Method of the technical solution 18. as described in technical solution 12, wherein the encryption key is by the more of the processing unit Key total memory encrypts (MK-TME) engine and generates, and wherein the MK-TME engine generates and assigns to institute via key ID Multiple encryption keys of TD are stated with the of short duration storage page or long-time memory page for encrypting the TD, and wherein described MOT tracks the multiple encryption key ID, wherein one key id of the host-physical page often referred in the MOT.

A kind of system of technical solution 19., the system comprises:

Memory device is with store instruction；And

Processing unit, the processing unit are operatively coupled to the memory device, and the processing unit executes the finger Enable with:

Execute inter-trust domain resource manager (TDRM) to manage inter-trust domain (TD), wherein the TDRM do not include in the TD can Letter calculates in base (TCB)；

The management program of the TD is maintained to execute state and user's execution state in inter-trust domain thread control structure (TD-TCS), The TD-TCS is in the TDRM, virtual machine manager (VMM) or other TD that carry out the freely processing unit execution The accessed control of the softward interview of at least one；

With reference to the MOT to obtain at least one encryption key identifier for corresponding to the encryption key for assigning to the TD (ID), the key ID allow processing unit decryption executed in the context of the TD in response to the processing unit and The storage page for assigning to the TD assigns to the storage page of the TD by identifying via the encryption key ID The encryption keys；And

With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein The matching of the guest physical address and the guest physical address accessed will allow in response to the processing unit described Executed in the context of TD and the access of the processing unit of the storage page that assigns to the TD.

System of the technical solution 20. as described in technical solution 19, wherein the VMM includes TDRM component via extension Page table (EPT) is one of the following or multiple provides memory management: the TD, other TD or one or more are virtual Machine (VM).

System of the technical solution 21. as described in technical solution 19, wherein the TD-TCS corresponds at the logic of the TD Device is managed, and the management program execution state for storing the TD is exited in operation in TD by the TD-TCS and the user executes shape State and user and the management program execution state that the TD is loaded on TD enters and operates, come from wherein the TD-TCS is directed to The softward interview of at least one of the TDRM, the other TD of the VMM or described that are executed by the processing unit are accessed Control.

System of the technical solution 22. as described in technical solution 19, wherein the encryption key is by the more of the processing unit Key total memory encrypts (MK-TME) engine and generates, and wherein the MK-TME engine generates and assigns to institute via key ID Multiple encryption keys of TD are stated with the of short duration storage page or long-time memory page for encrypting the TD, and wherein described MOT tracks the multiple encryption key ID via with the associated key ID of each entry in the MOT.

System of the technical solution 23. as described in technical solution 19, wherein the VMM includes the TDRM described to manage TD, wherein the TD includes operating system (OS) or non-root VMM to manage one or more virtual machines (VM), and wherein TD into Enter the non-root VMM that the operation context of the processing core is transferred to the TD by operation from the TDRM.

A kind of non-transitory machinable medium of technical solution 24., including data, the data are filled when by processing Setting executes the processing unit when access include the operation of following operation:

When being executed in the processing unit context of the TDRM, by execution inter-trust domain resource manager (TDRM) with The processing unit for managing inter-trust domain (TD) identifies TD entry event；

In response to identifying the TD entry event, the first key corresponding to the first encryption key for assigning to the TDRM is utilized Identifier (ID) is to load the TDRM's from the inter-trust domain resource manager control structure (TDRCS) corresponding to the TDRM TDRM state of a control, the TDRM state of a control is by first encryption keys, wherein the TDRCS is free for coming The accessed control of the softward interview of at least one of the other TD of the TD or described that the processing unit executes；

The key ID state of the processing unit is modified as corresponding to from the first key ID and assigns to the second of the TD Second key ID of encryption key；And

The management program for loading the TD from inter-trust domain thread control structure (TD-TCS) executes state and TD user executes state, So that the processing unit operates in the context of the TD, wherein the TD-TCS is held for the freely processing unit is carried out The accessed control of the softward interview of at least one of the capable other TD of the TDRM or described.

Non-transitory machinable medium of the technical solution 25. as described in technical solution 24, wherein the TDCS and TD-TCS is accessed control via the memory ownership table (MOT) of the processing unit, and the MOT includes being used for the TD- The first key ID is associated with by the first entry of TCS, the first entry with the TD, wherein the MOT utilizes described the One key ID is to enforce the control of the memory access to the memory access to the storage page corresponding to the TD.

Claims (25)

1. a kind of processing unit, the processing unit include:

Memory ownership table (MOT), the MOT is for the accessed control of softward interview；And

Core is handled, the processing core is wanted:

Execute the inter-trust domain resource manager (TDRM) of inter-trust domain (TD) and the management TD；

Maintain inter-trust domain control structure (TDCS) for managing in the TD or other TD that are executed by the processing unit One or more global metadatas；

It is being referred to by the TDCS and is being directed in the TDRM, virtual machine manager (VMM) or other TD extremely The TD is maintained in one or more inter-trust domain thread control structures (TD-TCS) of few accessed control of one softward interview Execution state；

With reference to the MOT to obtain at least one key identifier (ID) for corresponding to the encryption key for assigning to the TD, institute Stating key ID allows the processing unit decryption to execute and assign in the context of the TD in response to the processing unit The storage page of the TD, the storage page for assigning to the TD pass through the encryption keys；And

With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein The matching of the guest physical address obtained from the MOT and the guest physical address accessed will allow in response to described Processing unit executes in the context of the TD and the access of the processing unit of the storage page that assigns to the TD.

2. processing unit as described in claim 1, wherein the VMM includes TDRM component to be via extension page table (EPT) At least one of the following provides memory management: the TD, other TD or one or more virtual machines (VM).

3. processing unit as described in claim 1, wherein the TD-TCS refers to the TDCS, wherein TDCS maintenance pair The counting of one or more TD-TCS of the logic processor of TD described in Ying Yu, and wherein the TD-TCS stores the TD's User executes state and management program executes state.

4. processing unit as described in claim 1, wherein the encryption key is always stored by the multi-key cipher of the processing unit Device encrypts (MK-TME) engine and generates.

5. processing unit as claimed in claim 4, wherein the MK-TME engine is generated via the key for assigning to the TD Multiple encryption keys of ID access are corresponded to the storage page for encrypting and decrypting the TD, and encryption and decryption In the storage page for the long-time memory for assigning to the TD, and wherein the MOT via with each entry in the MOT An associated key ID tracks the multiple key ID.

6. processing unit as claimed in claim 2, wherein the processing core is referred to and is accessed as the part of page traversing operation Host-physical memory page the MOT, to access the guest-physical memory page that is mapped by the EPT.

7. processing unit as described in claim 1, wherein the TD includes at least one of the following: for manage one or The operating system (OS) of multiple applications or the VMM for managing one or more virtual machines (VM), and wherein TD enters Operation with by it is described processing core operation context from least one of described VMM be transferred to the TD the OS or from The TDRM is transferred to the VMM of the TD.

8. processing unit as described in claim 1, wherein the TDRM does not include the trusted computing base (TCB) in the TD In.

9. processing unit as described in claim 1, wherein the TDCS includes signing structure, described in the signing structure capture The password of TD measures, and the password measurement is signed by the hardware trusted root of the processing unit, and the wherein signing structure Proof side is provided to for verifying the password measurement.

10. processing unit as described in claim 1, wherein the processing core will also maintain the survey of the TD in the TDCS Amount state, the TDCS are directed to from other including at least the TDRM, the VMM or described executed by the processing unit The accessed control of the softward interview of the software of TD.

11. processing unit as described in claim 1, wherein the TDRM manages the TD and other TD.

12. a kind of method, which comprises

By executing inter-trust domain resource manager (TDRM) to manage the place of the inter-trust domain executed in processing unit (TD) Reason device identification TD exits event；

In response to identifying that the TD exits event, the first key mark corresponding to the first encryption key for assigning to the TD is utilized Know symbol (ID) and assigns to the TD so that the user of TD execution state and TD management program execution state to be saved in correspond to Logic processor inter-trust domain thread control structure (TD-TCS) in, the execution state is added by first encryption key It is close, wherein the TD-TCS is for the TDRM, the virtual machine manager (VMM) or other for carrying out the freely processing unit execution The accessed control of the softward interview of at least one of TD；

The key ID state of the processing unit is modified as corresponding in the TDRM or VMM from the first key ID The second key ID of at least one；And

Load TDRM is executed and state of a control and the TDRM exit information, so that the processing unit is the TDRM's It is operated in context.

13. method as claimed in claim 12, further includes:

TD entry event is executed in the context of the TDRM；

Using the second key identifier (ID) corresponding to the second encryption key for assigning to the TDRM from corresponding to assignment Inter-trust domain resource manager control structure (TD-RCS) load to the logic processor of the TD is specified by the TDRM TDRM execute control, the execution state by second encryption keys, wherein the TD-RCS be used to from The extension page table (EPT) of the TD or at least one of other VM that are executed by the processing unit are come access control；

The key ID state of the processing unit is modified as to correspond to the first key ID of the TD from second key ID； And

The user is loaded from the TD-TCS and executes state and management program execution state, so that the processing unit exists It is operated in the context of the TD.

14. method as claimed in claim 13, wherein the TDCS and TD-TCS via the processing unit memory institute Table (MOT) have the right by Confidentiality protection and access control, the MOT includes the first entry for the TDCS, and described first The first key ID is associated with by entry with the TD, wherein the MOT is right to enforce using the first key ID The memory confidentiality of the memory access of the storage page of TD described in Ying Yu.

15. method as claimed in claim 12, wherein the MOT is via the accessed control of range registers.

16. method as claimed in claim 14, wherein from the TD- via the accessed control of the EPT and MOT RCS structure loads the TDRM execution and state of a control, wherein the MOT includes the Article 2 for the TD-RCS structure Mesh, second key ID is associated with by the second entry with the pages of physical memory comprising the TD-RCS, and wherein institute It states MOT and enforces the storage for corresponding to the memory access of storage page of the TDRM using second key ID Device confidentiality.

17. method as claimed in claim 12, wherein the VMM is root VMM comprising the TDRM is to manage one or more A TD, wherein the TD includes non-root VMM to manage one or more virtual machines (VM), and wherein exit will be described by the TD Handle core operation context from one or more of VM of the non-root VMM or TD be transferred to described VMM with TDRM。

18. method as claimed in claim 12, wherein multi-key cipher total memory of the encryption key by the processing unit (MK-TME) engine is encrypted to generate, and wherein the MK-TME engine generate via key ID assign to the multiple of the TD plus Key is with the of short duration storage page or long-time memory page for encrypting the TD, and wherein the MOT tracking is described more A encryption key ID, wherein one key id of the host-physical page often referred in the MOT.

19. a kind of system, the system comprises:

Memory device is to store one or more instructions；And

Processing unit, the processing unit are operatively coupled to the memory device, and the processing unit executes described one A or multiple instruction with:

Execute inter-trust domain resource manager (TDRM) to manage inter-trust domain (TD), wherein the TDRM do not include in the TD can Letter calculates in base (TCB)；

The management program of the TD is maintained to execute state and user's execution state in inter-trust domain thread control structure (TD-TCS), The TD-TCS is in the TDRM, virtual machine manager (VMM) or other TD that carry out the freely processing unit execution The accessed control of the softward interview of at least one；

With reference to the MOT to obtain at least one encryption key identifier for corresponding to the encryption key for assigning to the TD (ID), the key ID allow processing unit decryption executed in the context of the TD in response to the processing unit and The storage page for assigning to the TD assigns to the storage page of the TD by identifying via the encryption key ID The encryption keys；And

With reference to the MOT to obtain the guest physical address for corresponding to the host-physical memory page for assigning to the TD, wherein The matching of the guest physical address and the guest physical address accessed will allow in response to the processing unit described Executed in the context of TD and the access of the processing unit of the storage page that assigns to the TD.

20. system as claimed in claim 19, wherein the VMM include TDRM component with via extension page table (EPT) be with One or more memory managements that provide in lower: the TD, other TD or one or more virtual machines (VM).

21. system as claimed in claim 19, wherein the TD-TCS corresponds to the logic processor of the TD, the TD- TCS TD exit in operation store the TD the management program execute state and the user execute state and TD into Enter the user for loading the TD in operation and management program executes state, wherein the TD-TCS is for the next freely described processing dress Set the accessed control of softward interview of at least one of the TDRM, other TD of the VMM or described of execution.

22. system as claimed in claim 19, wherein multi-key cipher total memory of the encryption key by the processing unit (MK-TME) engine is encrypted to generate, and wherein the MK-TME engine generate via key ID assign to the multiple of the TD plus Key with the of short duration storage page or long-time memory page for encrypting the TD, and wherein the MOT via with it is described The associated key ID of each entry in MOT tracks the multiple encryption key ID.

23. system as claimed in claim 19, wherein the VMM includes the TDRM to manage the TD, wherein the TD Including operating system (OS) or non-root VMM to manage one or more virtual machines (VM), and wherein TD enter operation will be described The operation context of processing core is transferred to the non-root VMM of the TD from the TDRM.

24. a kind of equipment, comprising: require the component of 12 to 18 any one method for perform claim.

25. at least one machine readable media, including multiple instruction, described instruction make institute in response to executing on the computing device State any one method that computing device executes according to claim 12 to 18.